Discussion on Suricata Messages
-
Hi All. I am new to Suricata and IDS in general. Before, I ran a Unifi USG that handled threat management, though probably not too well, but I didn't have to do anything with it. With Suricata, I have been running it for a couple weeks and I wanted to start trying to get ride of false positives.
One I am seeing a lot is:
SURICATA Applayer Detect protocol only one direction
One of the posts on this say 'It means that it is able to detect the protocol for only one direction
of a flow. I would investigate and see what are these flows in
question.'Is this something caused by Stunnel? Does it mean it is seeing none encryption traffic somewhere?
It is coming from a Blue Iris server I have running. The server is running the built-in web server BI has, but I have it wrapped in Stunnel with a signed certificate.
I just can't tell what that message means and if it is something I should keep or toss.
Thanks!
-
You may be hitting this bug I found posted over on the upstream Suricata Redmine site: https://redmine.openinfosecfoundation.org/issues/5247. Suricata is a multithreaded application, and thus has some special logic for handling flows in a multithreaded environment. Sometimes that special logic fails, though, at assigning a flow to the correct thread. So if the logic gets confused and assigns part of the flow conversation to one thread, but the other part of the flow conversation to another thread, you could then see this error.
But remember those applayer rules are just informational. One triggering does not automatically mean "malware" is present. They are finding and alerting on abnormalities in traffic flow. However, the rules can misfire or may even be buggy sometimes.