[Oisf-users] Suricata goes wild with SURICATA STREAM alerts

Marius wishinet at gmail.com
Tue Jul 12 21:53:51 UTC 2016 

Sure.

* here is the verbose suricata.log http://pastebin.com/WSWe0xac
* here is the stats.log from a 5 minute run
https://drive.google.com/file/d/0BwyhoK4VyctFRy11elNQTWVvWmM/view


The STREAM alerts do not start immediately. But the frequency is >300
STREAM alerts per second, so that I cannot run the sensor with these rules.

Best,
Marius



On 12 July 2016 at 20:58, Peter Manev <petermanev at gmail.com> wrote:

> On Tue, Jul 12, 2016 at 10:42 PM, Marius <wishinet at gmail.com> wrote:
> > For reference here is my NIC init script.
> > The linked wiki page mentions that issues like this can be related to the
> > NIC queues and a changed packet order.
> > Would it be safe to ignore these rules then?
> >
> >
> > ethtool -K enp17s0f1 tso off
> > ethtool -K enp17s0f1 gro off
> > ethtool -K enp17s0f1 ufo off
> > ethtool -K enp17s0f1 lro off
> > ethtool -K enp17s0f1 gso off
> > ethtool -K enp17s0f1 rx off
> > ethtool -K enp17s0f1 tx off
> > ethtool -K enp17s0f1 sg off
> > ethtool -K enp17s0f1 rxvlan off
> > ethtool -K enp17s0f1 txvlan off
> > ethtool -N enp17s0f1 rx-flow-hash udp4 sdfn
> > ethtool -N enp17s0f1 rx-flow-hash udp6 sdfn
> > ethtool -C enp17s0f1 rx-usecs 1 rx-frames 0
> > ethtool -C enp17s0f1 adaptive-rx off
> > ethtool -L enp17s0f1 combined 1
> >
> >
> > ethtool -l enp17s0f1
> > Channel parameters for enp17s0f1:
> > Pre-set maximums:
> > RX:             0
> > TX:             0
> > Other:          1
> > Combined:       63
> > Current hardware settings:
> > RX:             0
> > TX:             0
> > Other:          1
> > Combined:       1
> >
> > modinfo ixgbe
> > filename:
> >
> /lib/modules/4.0.5-gentoo/kernel/drivers/net/ethernet/intel/ixgbe/ixgbe.ko
> > version:        4.0.1-k
> >
> > NIC is:
> > Intel Corporation 82599ES 10-Gigabit SFI/SFP+ Network Connection
> >
> >
>
> Can you share the last update in your stats.log
> and  suricata.log with verbose output.
> (on pastebin or similar if you prefer)
>
> >
> > On 12 July 2016 at 20:16, Marius <mciepluch at web.de> wrote:
> >>
> >> I'm on 4.0.5-gentoo.
> >>
> >>
> >> On 12 July 2016 at 20:01, Victor Julien <lists at inliniac.net> wrote:
> >>>
> >>> On 12-07-16 21:55, Cooper F. Nelson wrote:
> >>> > What kernel version are you using?
> >>> >
> >>> > There is a bug in the 4.2 and higher Linux kernel versions with the
> RSS
> >>> > implementation.  I was seeing those issues and reverting to the 4.1
> >>> > release fixed it.
> >>>
> >>> That bug is still there, it's fixed in kernel 4.7rc7 and hopefully the
> >>> fix will be backported to stable kernels.
> >>>
> >>> This post may be helpful as well
> >>>
> >>>
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Packet_Capture
> >>>
> >>>
> >>> >
> >>> > -Coop
> >>> >
> >>> > On 7/12/2016 12:46 PM, Marius wrote:
> >>> >> The rules, which indicate an error, are mostly stream engine
> related:
> >>> >> SURICATA STREAM 3way handshake with ack in wrong dir
> [Classification:
> >>> >> (null)]
> >>> >> SURICATA STREAM ESTABLISHED packet out of window
> >>> >> SURICATA STREAM ESTABLISHED invalid ack
> >>> >> SURICATA STREAM Packet with invalid ack
> >>> >> SURICATA STREAM FIN invalid ack
> >>> >
> >>> >
> >>> >
> >>> >
> >>> > _______________________________________________
> >>> > Suricata IDS Users mailing list:
> oisf-users at openinfosecfoundation.org
> >>> > Site: http://suricata-ids.org | Support:
> >>> > http://suricata-ids.org/support/
> >>> > List:
> >>> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >>> > Suricata User Conference November 9-11 in Washington, DC:
> >>> > http://oisfevents.net
> >>> >
> >>>
> >>>
> >>> --
> >>> ---------------------------------------------
> >>> Victor Julien
> >>> http://www.inliniac.net/
> >>> PGP: http://www.inliniac.net/victorjulien.asc
> >>> ---------------------------------------------
> >>>
> >>> _______________________________________________
> >>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> >>> Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> >>> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >>> Suricata User Conference November 9-11 in Washington, DC:
> >>> http://oisfevents.net
> >>
> >>
> >>
> >> On 12 July 2016 at 20:01, Victor Julien <lists at inliniac.net> wrote:
> >>>
> >>> On 12-07-16 21:55, Cooper F. Nelson wrote:
> >>> > What kernel version are you using?
> >>> >
> >>> > There is a bug in the 4.2 and higher Linux kernel versions with the
> RSS
> >>> > implementation.  I was seeing those issues and reverting to the 4.1
> >>> > release fixed it.
> >>>
> >>> That bug is still there, it's fixed in kernel 4.7rc7 and hopefully the
> >>> fix will be backported to stable kernels.
> >>>
> >>> This post may be helpful as well
> >>>
> >>>
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Packet_Capture
> >>>
> >>>
> >>> >
> >>> > -Coop
> >>> >
> >>> > On 7/12/2016 12:46 PM, Marius wrote:
> >>> >> The rules, which indicate an error, are mostly stream engine
> related:
> >>> >> SURICATA STREAM 3way handshake with ack in wrong dir
> [Classification:
> >>> >> (null)]
> >>> >> SURICATA STREAM ESTABLISHED packet out of window
> >>> >> SURICATA STREAM ESTABLISHED invalid ack
> >>> >> SURICATA STREAM Packet with invalid ack
> >>> >> SURICATA STREAM FIN invalid ack
> >>> >
> >>> >
> >>> >
> >>> >
> >>> > _______________________________________________
> >>> > Suricata IDS Users mailing list:
> oisf-users at openinfosecfoundation.org
> >>> > Site: http://suricata-ids.org | Support:
> >>> > http://suricata-ids.org/support/
> >>> > List:
> >>> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >>> > Suricata User Conference November 9-11 in Washington, DC:
> >>> > http://oisfevents.net
> >>> >
> >>>
> >>>
> >>> --
> >>> ---------------------------------------------
> >>> Victor Julien
> >>> http://www.inliniac.net/
> >>> PGP: http://www.inliniac.net/victorjulien.asc
> >>> ---------------------------------------------
> >>>
> >>> _______________________________________________
> >>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> >>> Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> >>> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >>> Suricata User Conference November 9-11 in Washington, DC:
> >>> http://oisfevents.net
> >>
> >>
> >
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > Suricata User Conference November 9-11 in Washington, DC:
> > http://oisfevents.net
>
>
>
> --
> Regards,
> Peter Manev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160712/bb15b56d/attachment-0002.html>

More information about the Oisf-users mailing list