Invalid Timestamp Alert flooding logs?
-
I just turned on Suricata to start learning to use it. It is currently only running as an IDS, someday when I get this all figured out I'll finally turn on the IPS functionality.
I'm using it on three interfaces, one WAN and two VPN gateways.
On the VPN's I get a ton of TCP alerts for:
02/11/2017
08:17:27 3 TCP Generic Protocol Command Decode xxx.xxx.xxx.xxx
19975 173.194.162.10
443 1:2210044
SURICATA STREAM Packet with invalid timestampI don't see a rule "2210044" in the rule sets, or any "221xxxx" rules, are these preprocessors?
I am using checksum offloading on my NICs so I looked in the yaml template file and checksum-validation is already set to no.
How can I further search for what is causing this alert? And if necessary can I disable or suppress a rule that isn't listed in the rule sets safely?
Any help is greatly appreciated!
-
FWIW, I've been able to figure out that this entry is coming from my Chromecast when it is streaming video.
-
Anyone have any feedback on this?
-
Disable the rule that's flooding your logs with useless junk. Done.
-
I don't see a rule "2210044" in the rule sets
I don't see a matching rule in the rulesets to turn off, how do I turn it off?
-
Better glasses, perhaps? In stream-event.rules :P
Or use SID Mgmt., much easier than clicking in the rules - and while there, I'd recommend to disable the entire stream-events.rules category, it produces so many FPs that it's just a waste of time.
-
Awesome, got it. Thank you!