[Oisf-users] Suricata goes wild with SURICATA STREAM alerts

Peter Manev petermanev at gmail.com
Tue Jul 12 20:58:46 UTC 2016


On Tue, Jul 12, 2016 at 10:42 PM, Marius <wishinet at gmail.com> wrote:
> For reference here is my NIC init script.
> The linked wiki page mentions that issues like this can be related to the
> NIC queues and a changed packet order.
> Would it be safe to ignore these rules then?
>
>
> ethtool -K enp17s0f1 tso off
> ethtool -K enp17s0f1 gro off
> ethtool -K enp17s0f1 ufo off
> ethtool -K enp17s0f1 lro off
> ethtool -K enp17s0f1 gso off
> ethtool -K enp17s0f1 rx off
> ethtool -K enp17s0f1 tx off
> ethtool -K enp17s0f1 sg off
> ethtool -K enp17s0f1 rxvlan off
> ethtool -K enp17s0f1 txvlan off
> ethtool -N enp17s0f1 rx-flow-hash udp4 sdfn
> ethtool -N enp17s0f1 rx-flow-hash udp6 sdfn
> ethtool -C enp17s0f1 rx-usecs 1 rx-frames 0
> ethtool -C enp17s0f1 adaptive-rx off
> ethtool -L enp17s0f1 combined 1
>
>
> ethtool -l enp17s0f1
> Channel parameters for enp17s0f1:
> Pre-set maximums:
> RX:             0
> TX:             0
> Other:          1
> Combined:       63
> Current hardware settings:
> RX:             0
> TX:             0
> Other:          1
> Combined:       1
>
> modinfo ixgbe
> filename:
> /lib/modules/4.0.5-gentoo/kernel/drivers/net/ethernet/intel/ixgbe/ixgbe.ko
> version:        4.0.1-k
>
> NIC is:
> Intel Corporation 82599ES 10-Gigabit SFI/SFP+ Network Connection
>
>

Can you share the last update in your stats.log
and  suricata.log with verbose output.
(on pastebin or similar if you prefer)

>
> On 12 July 2016 at 20:16, Marius <mciepluch at web.de> wrote:
>>
>> I'm on 4.0.5-gentoo.
>>
>>
>> On 12 July 2016 at 20:01, Victor Julien <lists at inliniac.net> wrote:
>>>
>>> On 12-07-16 21:55, Cooper F. Nelson wrote:
>>> > What kernel version are you using?
>>> >
>>> > There is a bug in the 4.2 and higher Linux kernel versions with the RSS
>>> > implementation.  I was seeing those issues and reverting to the 4.1
>>> > release fixed it.
>>>
>>> That bug is still there, it's fixed in kernel 4.7rc7 and hopefully the
>>> fix will be backported to stable kernels.
>>>
>>> This post may be helpful as well
>>>
>>> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Packet_Capture
>>>
>>>
>>> >
>>> > -Coop
>>> >
>>> > On 7/12/2016 12:46 PM, Marius wrote:
>>> >> The rules, which indicate an error, are mostly stream engine related:
>>> >> SURICATA STREAM 3way handshake with ack in wrong dir [Classification:
>>> >> (null)]
>>> >> SURICATA STREAM ESTABLISHED packet out of window
>>> >> SURICATA STREAM ESTABLISHED invalid ack
>>> >> SURICATA STREAM Packet with invalid ack
>>> >> SURICATA STREAM FIN invalid ack
>>> >
>>> >
>>> >
>>> >
>>> > _______________________________________________
>>> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> > Site: http://suricata-ids.org | Support:
>>> > http://suricata-ids.org/support/
>>> > List:
>>> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> > Suricata User Conference November 9-11 in Washington, DC:
>>> > http://oisfevents.net
>>> >
>>>
>>>
>>> --
>>> ---------------------------------------------
>>> Victor Julien
>>> http://www.inliniac.net/
>>> PGP: http://www.inliniac.net/victorjulien.asc
>>> ---------------------------------------------
>>>
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> Suricata User Conference November 9-11 in Washington, DC:
>>> http://oisfevents.net
>>
>>
>>
>> On 12 July 2016 at 20:01, Victor Julien <lists at inliniac.net> wrote:
>>>
>>> On 12-07-16 21:55, Cooper F. Nelson wrote:
>>> > What kernel version are you using?
>>> >
>>> > There is a bug in the 4.2 and higher Linux kernel versions with the RSS
>>> > implementation.  I was seeing those issues and reverting to the 4.1
>>> > release fixed it.
>>>
>>> That bug is still there, it's fixed in kernel 4.7rc7 and hopefully the
>>> fix will be backported to stable kernels.
>>>
>>> This post may be helpful as well
>>>
>>> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Packet_Capture
>>>
>>>
>>> >
>>> > -Coop
>>> >
>>> > On 7/12/2016 12:46 PM, Marius wrote:
>>> >> The rules, which indicate an error, are mostly stream engine related:
>>> >> SURICATA STREAM 3way handshake with ack in wrong dir [Classification:
>>> >> (null)]
>>> >> SURICATA STREAM ESTABLISHED packet out of window
>>> >> SURICATA STREAM ESTABLISHED invalid ack
>>> >> SURICATA STREAM Packet with invalid ack
>>> >> SURICATA STREAM FIN invalid ack
>>> >
>>> >
>>> >
>>> >
>>> > _______________________________________________
>>> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> > Site: http://suricata-ids.org | Support:
>>> > http://suricata-ids.org/support/
>>> > List:
>>> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> > Suricata User Conference November 9-11 in Washington, DC:
>>> > http://oisfevents.net
>>> >
>>>
>>>
>>> --
>>> ---------------------------------------------
>>> Victor Julien
>>> http://www.inliniac.net/
>>> PGP: http://www.inliniac.net/victorjulien.asc
>>> ---------------------------------------------
>>>
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> Suricata User Conference November 9-11 in Washington, DC:
>>> http://oisfevents.net
>>
>>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC:
> http://oisfevents.net



-- 
Regards,
Peter Manev



More information about the Oisf-users mailing list