[Oisf-users] Question about Suricata Stream alerts

Andreas Herz andi at geekosphere.org
Mon May 2 22:01:36 UTC 2016 

On 28/04/16 at 10:57, C. L. Martinez wrote:
> Hi all,
> 
>  I am doing some tests with Suricata 3.0.1 in a KVM guest (FreeBSD 10.3) and I receiving alerts like this:
> 
> 04/28/2016-10:11:41.046712  [**] [1:2210044:1] SURICATA STREAM Packet with invalid timestamp [**] [Classification: (null)] [Priority: 3] {TCP} 172.22.55.1:36952 -> 64.233.167.109:993
> 04/28/2016-10:11:41.047621  [**] [1:2210044:1] SURICATA STREAM Packet with invalid timestamp [**] [Classification: (null)] [Priority: 3] {TCP} 172.22.55.1:36952 -> 64.233.167.109:993
> 04/28/2016-10:11:41.088376  [**] [1:2210021:2] SURICATA STREAM ESTABLISHED retransmission packet before last ack [**] [Classification: (null)] [Priority: 3] {TCP} 64.233.167.109:993 -> 172.22.55.1:36952
> 04/28/2016-10:11:41.089728  [**] [1:2210021:2] SURICATA STREAM ESTABLISHED retransmission packet before last ack [**] [Classification: (null)] [Priority: 3] {TCP} 64.233.167.109:993 -> 172.22.55.1:36952
> 04/28/2016-10:11:41.089737  [**] [1:2210044:1] SURICATA STREAM Packet with invalid timestamp [**] [Classification: (null)] [Priority: 3] {TCP} 172.22.55.1:36952 -> 64.233.167.109:993
> 04/28/2016-10:11:41.090450  [**] [1:2210021:2] SURICATA STREAM ESTABLISHED retransmission packet before last ack [**] [Classification: (null)] [Priority: 3] {TCP} 64.233.167.109:993 -> 172.22.55.1:36952
> 04/28/2016-10:11:41.091623  [**] [1:2210021:2] SURICATA STREAM ESTABLISHED retransmission packet before last ack [**] [Classification: (null)] [Priority: 3] {TCP} 64.233.167.109:993 -> 172.22.55.1:36952
> 04/28/2016-10:11:41.091631  [**] [1:2210044:1] SURICATA STREAM Packet with invalid timestamp [**] [Classification: (null)] [Priority: 3] {TCP} 172.22.55.1:36952 -> 64.233.167.109:993
> 04/28/2016-10:11:41.092677  [**] [1:2210021:2] SURICATA STREAM ESTABLISHED retransmission packet before last ack [**] [Classification: (null)] [Priority: 3] {TCP} 64.233.167.109:993 -> 172.22.55.1:36952
> 04/28/2016-10:11:41.127861  [**] [1:2210021:2] SURICATA STREAM ESTABLISHED retransmission packet before last ack [**] [Classification: (null)] [Priority: 3] {TCP} 64.233.167.109:993 -> 172.22.55.1:36952
> 04/28/2016-10:11:41.127870  [**] [1:2210021:2] SURICATA STREAM ESTABLISHED retransmission packet before last ack [**] [Classification: (null)] [Priority: 3] {TCP} 64.233.167.109:993 -> 172.22.55.1:36952
> 04/28/2016-10:11:41.127876  [**] [1:2210044:1] SURICATA STREAM Packet with invalid timestamp [**] [Classification: (null)] [Priority: 3] {TCP} 172.22.55.1:36952 -> 64.233.167.109:993
> 04/28/2016-10:11:41.129864  [**] [1:2210044:1] SURICATA STREAM Packet with invalid timestamp [**] [Classification: (null)] [Priority: 3] {TCP} 172.22.55.1:36952 -> 64.233.167.109:993
> 04/28/2016-10:11:41.166793  [**] [1:2210021:2] SURICATA STREAM ESTABLISHED retransmission packet before last ack [**] [Classification: (null)] [Priority: 3] {TCP} 64.233.167.109:993 -> 172.22.55.1:36952
> 04/28/2016-10:11:41.168247  [**] [1:2210021:2] SURICATA STREAM ESTABLISHED retransmission packet before last ack [**] [Classification: (null)] [Priority: 3] {TCP} 64.233.167.109:993 -> 172.22.55.1:36952
> 04/28/2016-10:11:41.168252  [**] [1:2210044:1] SURICATA STREAM Packet with invalid timestamp [**] [Classification: (null)] [Priority: 3] {TCP} 172.22.55.1:36952 -> 64.233.167.109:993
> 04/28/2016-10:11:41.168834  [**] [1:2210021:2] SURICATA STREAM ESTABLISHED retransmission packet before last ack [**] [Classification: (null)] [Priority: 3] {TCP} 64.233.167.109:993 -> 172.22.55.1:36952
> 
>  I think I have done some misconfiguration on my tc rules or with suricata config. To do this port mirroring, I am using rules like these ones:
> 
> $tc qdisc add dev $m ingress
> $tc filter add dev $m parent ffff: protocol all u32 match u8 0 0 action mirred egress mirror dev idsif
> $tc qdisc add dev $m handle 1: root prio
> $tc filter add dev $m parent 1: protocol all u32 match u8 0 0 action mirred egress mirror dev idsif
> 
>  "$m" is the physical bridge inside KVM host. I am doing port mirroring for three internal bridges: prodif, vpnif adn wapif. But I am not doing port mirroring for the external bridge: extif. (idsif is the destination bridge where all traffic is mirrored).
> 
>  I have changed mtu to 1514 for these three bridges (and in idsif bridge also) and I have disabled "rx tx sg tso ufo gso gro lro" via ethtool for all bridges.
> 
>  But I think that suricata doesn't "see" the full packet ... Am I right??

You could try to capture the packets with another tool like tcpdump and
see if you receive all packets or if you're already missing some.
Might be also worth to dump the ones with invalide timestamp and look
into them.

-- 
Andreas Herz

More information about the Oisf-users mailing list