[Oisf-users] flow detection occasionally reversed

Mike Tancsa mike at sentex.net
Fri Nov 22 00:55:17 UTC 2019 

On 11/21/2019 5:08 PM, mike tancsa wrote:
> I am trying to deploy suricata on a somewhat busy box (low bandwidth,
> many packets) with many tun interfaces on a FreeBSD releng12 box.  Right
> from the start, I was getting a lot of
>
> alert tcp any any -> any any (msg:"SURICATA STREAM ESTABLISHED SYNACK
> resend with different ACK";
> stream-event:est_synack_resend_with_different_ack;
> classtype:protocol-command-decode; sid:2210023; rev:2;)
>
> looking at the flow records, it seems suricata has the direction
> reversed-- it thinks the src is the dst and vice versa.  I have many

I think this was just a configuration typo on my part. In the start up
config, I had an interface defined twice.

While stopping the engine, I noticed the following in the logs

1/11/2019 -- 19:31:58 - <Notice> - Signal Received.  Stopping engine.
21/11/2019 -- 19:31:59 - <Notice> - Stats for 'tun93':  pkts: 290561,
drop: 0 (0.00%), invalid chksum: 0
21/11/2019 -- 19:31:59 - <Notice> - Stats for 'tun92':  pkts: 61159,
drop: 0 (0.00%), invalid chksum: 0
21/11/2019 -- 19:31:59 - <Notice> - Stats for 'tun93':  pkts: 0, drop: 0
(nan%), invalid chksum: 0
21/11/2019 -- 19:31:59 - <Notice> - Stats for 'tun91':  pkts: 181312,
drop: 0 (0.00%), invalid chksum: 0
21/11/2019 -- 19:31:59 - <Notice> - Stats for 'tun94':  pkts: 13914,
drop: 0 (0.00%), invalid chksum: 0
21/11/2019 -- 19:31:59 - <Notice> - Stats for 'tun95':  pkts: 13931,
drop: 0 (0.00%), invalid chksum: 0
21/11/2019 -- 19:31:59 - <Notice> - Stats for 'tun96':  pkts: 11148,
drop: 0 (0.00%), invalid chksum: 0
21/11/2019 -- 19:31:59 - <Notice> - Stats for 'tun90':  pkts: 43891,
drop: 0 (0.00%), invalid chksum: 0
21/11/2019 -- 19:31:59 - <Notice> - Stats for 'tun97':  pkts: 39946,
drop: 0 (0.00%), invalid chksum: 0

tun93 was the interface throwing the reversed direction issue which also
had that extra stats line.

Restarted and I am not seeing the alert.  Sorry for the noise.

    ---Mike



-- 
-------------------
Mike Tancsa, tel +1 519 651 3400 x203
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada

More information about the Oisf-users mailing list