SURICATA STREAM 3way handshake wrong seq wrong ack
-
Hi people,
I'm getting a lot of this messages in Suricata logs "SURICATA STREAM 3way handshake wrong seq wrong ack" mostly afecting 1e100.net a Domain of google, in the same time i get a lot of error with gmail services.How i can whitelist this domain on Suricata ?
Thanks.
-
You could simply suppress or disable that rule - all that I have seen suggests it generates far more false positives than "good catches". That is what I did on my system.
If you want to "whitelist" that domain realize that it will be a large and diverse set of IP numbers and Suricata does not allow/process FQDNs in Pass Lists. One trick I have used successfully with other domains is to put the domain into the alias list. The firewall will look up the IP addresses in DNS and put them into a table you can then view under Diagnostics-Tables. I simply put those IPs or ranges into the alias that I associate with my Pass List. Google's setup is a little different, so I didn't try that trick with it - I simply suppressed (or disabled) the rule.
-
Thanks, Yes the best solution is to disable that rule.