[Oisf-users] flow detection occasionally reversed
mike tancsa
mike at sentex.net
Thu Nov 21 22:08:20 UTC 2019
I am trying to deploy suricata on a somewhat busy box (low bandwidth,
many packets) with many tun interfaces on a FreeBSD releng12 box. Right
from the start, I was getting a lot of
alert tcp any any -> any any (msg:"SURICATA STREAM ESTABLISHED SYNACK
resend with different ACK";
stream-event:est_synack_resend_with_different_ack;
classtype:protocol-command-decode; sid:2210023; rev:2;)
looking at the flow records, it seems suricata has the direction
reversed-- it thinks the src is the dst and vice versa. I have many
client always initiating a connection out to a handful of servers, never
the other way around. But when suricata records the bogus flow record,
it also generates the above alert.
Is there something I should be tuning in the "Stream engine settings" ?
This is 5.0.0-rc1 RELEASE running in SYSTEM mode on FreeBSD r352386
(source from mid Sept). I have it bound to 10 interfaces (all tun). Its
non netmap mode since the interfaces are tun interfaces. The stats dont
show any dropped packets.
Any suggestions on tuning ? build info below
---Mike
This is Suricata version 5.0.0-rc1 RELEASE
Features: IPFW PCAP_SET_BUFF NETMAP HAVE_PACKET_FANOUT LIBNET1.1
HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LIBJANSSON
TLS MAGIC RUST
SIMD support: none
Atomic intrinsics: 1 2 4 8 byte(s)
64-bits, Little-endian architecture
GCC version 4.2.1 Compatible FreeBSD Clang 8.0.1 (tags/RELEASE_801/final
366581), C version 199901
compiled with _FORTIFY_SOURCE=2
L1 cache line size (CLS)=64
thread local storage method: __thread
compiled with LibHTP v0.5.31, linked against LibHTP v0.5.31
Suricata Configuration:
AF_PACKET support: no
eBPF support: no
XDP support: no
PF_RING support: no
NFQueue support: no
NFLOG support: no
IPFW support: yes
Netmap support: yes > v13
DAG enabled: no
Napatech enabled: no
WinDivert enabled: no
Unix socket enabled: yes
Detection enabled: yes
Libmagic support: yes
libnss support: yes
libnspr support: yes
libjansson support: yes
hiredis support: yes
hiredis async with libevent: no
Prelude support: no
PCRE jit: yes
LUA support: yes
libluajit: no
GeoIP2 support: yes
Non-bundled htp: no
Old barnyard2 support: no
Hyperscan support: yes
Libnet support: yes
liblz4 support: yes
Rust support: yes
Rust strict mode: no
Rust compiler path: /usr/local/bin/rustc
Rust compiler version: rustc 1.39.0
Cargo path: /usr/local/bin/cargo
Cargo version: cargo 1.39.0
Python support: yes
Python path: /usr/local/bin/python3.6
Python version: Python 3.6.9
Python distutils yes
Python yaml yes
Install suricatactl: yes
Install suricatasc: yes
Install suricata-update: yes
Profiling enabled: no
Profiling locks enabled: no
Development settings:
Coccinelle / spatch: no
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Generic build parameters:
Installation prefix: /usr/local
Configuration directory: /usr/local/etc/suricata/
Log directory: /var/log/suricata/
--prefix /usr/local
--sysconfdir /usr/local/etc
--localstatedir /var
--datarootdir /usr/local/share
Host: amd64-portbld-freebsd12.0
Compiler: cc (exec name) / clang (real)
GCC Protect enabled: yes
GCC march native enabled: no
GCC Profile enabled: no
Position Independent Executable enabled: no
CFLAGS -O2 -pipe
-fstack-protector-strong -fno-strict-aliasing -DOS_FREEBSD
-I${srcdir}/../rust/gen/c-headers
PCAP_CFLAGS
SECCFLAGS -fstack-protector
-D_FORTIFY_SOURCE=2 -Wformat -Wformat-security
More information about the Oisf-users
mailing list