[Oisf-users] Suricata goes wild with SURICATA STREAM alerts

Marius wishinet at gmail.com
Tue Jul 12 20:42:38 UTC 2016 

For reference here is my NIC init script.
The linked wiki page mentions that issues like this can be related to the
NIC queues and a changed packet order.
Would it be safe to ignore these rules then?


ethtool -K enp17s0f1 tso off
ethtool -K enp17s0f1 gro off
ethtool -K enp17s0f1 ufo off
ethtool -K enp17s0f1 lro off
ethtool -K enp17s0f1 gso off
ethtool -K enp17s0f1 rx off
ethtool -K enp17s0f1 tx off
ethtool -K enp17s0f1 sg off
ethtool -K enp17s0f1 rxvlan off
ethtool -K enp17s0f1 txvlan off
ethtool -N enp17s0f1 rx-flow-hash udp4 sdfn
ethtool -N enp17s0f1 rx-flow-hash udp6 sdfn
ethtool -C enp17s0f1 rx-usecs 1 rx-frames 0
ethtool -C enp17s0f1 adaptive-rx off
ethtool -L enp17s0f1 combined 1


ethtool -l enp17s0f1
Channel parameters for enp17s0f1:
Pre-set maximums:
RX:             0
TX:             0
Other:          1
Combined:       63
Current hardware settings:
RX:             0
TX:             0
Other:          1
Combined:       1

modinfo ixgbe
filename:
/lib/modules/4.0.5-gentoo/kernel/drivers/net/ethernet/intel/ixgbe/ixgbe.ko
version:        4.0.1-k

NIC is:
Intel Corporation 82599ES 10-Gigabit SFI/SFP+ Network Connection



On 12 July 2016 at 20:16, Marius <mciepluch at web.de> wrote:

> I'm on 4.0.5-gentoo.
>
>
> On 12 July 2016 at 20:01, Victor Julien <lists at inliniac.net> wrote:
>
>> On 12-07-16 21:55, Cooper F. Nelson wrote:
>> > What kernel version are you using?
>> >
>> > There is a bug in the 4.2 and higher Linux kernel versions with the RSS
>> > implementation.  I was seeing those issues and reverting to the 4.1
>> > release fixed it.
>>
>> That bug is still there, it's fixed in kernel 4.7rc7 and hopefully the
>> fix will be backported to stable kernels.
>>
>> This post may be helpful as well
>>
>> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Packet_Capture
>>
>>
>> >
>> > -Coop
>> >
>> > On 7/12/2016 12:46 PM, Marius wrote:
>> >> The rules, which indicate an error, are mostly stream engine related:
>> >> SURICATA STREAM 3way handshake with ack in wrong dir [Classification:
>> >> (null)]
>> >> SURICATA STREAM ESTABLISHED packet out of window
>> >> SURICATA STREAM ESTABLISHED invalid ack
>> >> SURICATA STREAM Packet with invalid ack
>> >> SURICATA STREAM FIN invalid ack
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> > Site: http://suricata-ids.org | Support:
>> http://suricata-ids.org/support/
>> > List:
>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> > Suricata User Conference November 9-11 in Washington, DC:
>> http://oisfevents.net
>> >
>>
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 9-11 in Washington, DC:
>> http://oisfevents.net
>
>
>
> On 12 July 2016 at 20:01, Victor Julien <lists at inliniac.net> wrote:
>
>> On 12-07-16 21:55, Cooper F. Nelson wrote:
>> > What kernel version are you using?
>> >
>> > There is a bug in the 4.2 and higher Linux kernel versions with the RSS
>> > implementation.  I was seeing those issues and reverting to the 4.1
>> > release fixed it.
>>
>> That bug is still there, it's fixed in kernel 4.7rc7 and hopefully the
>> fix will be backported to stable kernels.
>>
>> This post may be helpful as well
>>
>> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Packet_Capture
>>
>>
>> >
>> > -Coop
>> >
>> > On 7/12/2016 12:46 PM, Marius wrote:
>> >> The rules, which indicate an error, are mostly stream engine related:
>> >> SURICATA STREAM 3way handshake with ack in wrong dir [Classification:
>> >> (null)]
>> >> SURICATA STREAM ESTABLISHED packet out of window
>> >> SURICATA STREAM ESTABLISHED invalid ack
>> >> SURICATA STREAM Packet with invalid ack
>> >> SURICATA STREAM FIN invalid ack
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> > Site: http://suricata-ids.org | Support:
>> http://suricata-ids.org/support/
>> > List:
>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> > Suricata User Conference November 9-11 in Washington, DC:
>> http://oisfevents.net
>> >
>>
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 9-11 in Washington, DC:
>> http://oisfevents.net
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160712/55c55a6f/attachment-0002.html>

More information about the Oisf-users mailing list