Suricata STREAM alerts

  • I'm getting a lot of SURICATA STREAM alerts. These are related to the stream-events.rules file. Looking through the alert logs, I see iOS devices are primarily responsible, particularly iPhones (more so than iPads).

    I was disabling the rules one-by-one as they occurred but they keep coming. So I put into disabledsid.conf:


    This disables the entire TCP stream engine rules.

    • Is there something valuable in the TCP stream engine rules that I should be concerned about keeping?

    • Anyone else seeing this behavior?

  • Banned

    you can just disable the whole category, there are plenty of posts on here suggesting exactly that.

  • An IDS/IPS assumes that all applications (and thus software developers) follow all the standards for networking, so when the IDS/IPS sees something that looks amiss it will alert on it.  Unfortunately that assumption about all applications (and developers) solidly adhering to all published networking standards is a pipe dream… ;)

    The downside for IT Security Admins is we get flooded with spurious alerts that we have to spend time investigating.  The STREAM alerts are about as worthless in Suricata as the HTTP_INSPECT alerts in Snort.  What I mean by that blanket statement is there are so many false positives from both of those that they are both nearly worthless.  Most IT Security Admins will disable the majority, if not all, of these rules.


Log in to reply