Invalid Timestamp Alert flooding logs?


  • Banned

    I just turned on Suricata to start learning to use it. It is currently only running as an IDS, someday when I get this all figured out I'll finally turn on the IPS functionality.

    I'm using it on three interfaces, one WAN and two VPN gateways.

    On the VPN's I get a ton of TCP alerts for:

    02/11/2017
    08:17:27 3 TCP Generic Protocol Command Decode xxx.xxx.xxx.xxx
      19975 173.194.162.10
      443 1:2210044
      SURICATA STREAM Packet with invalid timestamp

    I don't see a rule "2210044" in the rule sets, or any "221xxxx" rules, are these preprocessors?

    I am using checksum offloading on my NICs so I looked in the yaml template file and checksum-validation is already set to no.

    How can I further search for what is causing this alert? And if necessary can I disable or suppress a rule that isn't listed in the rule sets safely?

    Any help is greatly appreciated!


  • Banned

    FWIW, I've been able to figure out that this entry is coming from my Chromecast when it is streaming video.


  • Banned

    Anyone have any feedback on this?


  • Banned

    Disable the rule that's flooding your logs with useless junk. Done.


  • Banned

    @pfBasic:

    I don't see a rule "2210044" in the rule sets

    I don't see a matching rule in the rulesets to turn off, how do I turn it off?


  • Banned

    Better glasses, perhaps? In stream-event.rules :P

    Or use SID Mgmt., much easier than clicking in the rules - and while there, I'd recommend to disable the entire stream-events.rules category, it produces so many FPs that it's just a waste of time.


  • Banned

    Awesome, got it. Thank you!