Suricata false positives



  • Hello, I'm new to IDS systems and recently I installed Suricata package in my Pfsense. I configured it to inspect WAN packages as this firewall is behind a router and with only one computer in the LAN interface (home use). My configuration is something like this:

    ISP –- Router (provided by ISP) --- WiFi WPA/WPA2 Link --- WAN interface (150 Mbps pci card) --- Pfsense Stateful Firewall --- LAN (pci card) --- Ethernet Cable --- Computer

    I get very frequently these two alerts from suricata with normal web surf:

    1:2210050                  SURICATA STREAM reassembly overlap with different data

    1:2210054                  SURICATA STREAM excessive retransmissions

    IP's associated with this alerts (from what I found out with google) are from google search, youtube, newspapers, etc

    But it's always the same two alerts, with differents IP's.

    Are these false positives? How can I find out?

    Or could this be some sort of man on the side attack?

    Thanks in advance,

    Jami



  • If you do a Google search for those two Suricata messages (and I assume maybe you already have and that's why you are asking about MOTS, or Man-on-the-Side, attacks), you will find a link to a tool for analyzing pcap capture files to see if actual attacks are occurring.

    If it were me, I would first analyse the target environment to see how attractive it might be for an adversary.  So what I mean is for a typical home network, I would not assume a MOTS attack to be all that credible.  After all, you probably don't have NSA or CIA secrets on your home computers nor the secret formula for making Coca-Cola …  :).  That's not to say some wannabe script kiddie in the neighborhood couldn't be trying to knock on the network door, but sophisticated state-sponsored groups attacking you are not likely.  Only you can evaluate your risk, though.  Based on the Wi-Fi interconnect between pfSense and your other ISP router, I would lean more toward RF interference causing lots of packet retransmissions (and hence that other error).  Can you ditch the Wi-Fi WAN connection and use a straight Ethernet cable instead?

    Also make sure you go to SYSTEM > ADVANCED and then the Networking tab in pfSense and turn off all NIC hardware checksum validation and LRO and Segementation.

    My initial guess would be you are seeing false positives perhaps triggered by Wi-Fi issues ???

    Bill



  • Thanks for the answer Bill ;),

    I'll do more research about pcap files, did you mean Wireshark?
    About the Suricata alerts, you were completely right, it was the wireless connection on wan interface. Today I bought a 10 m cat 5e ethernet cable and made a wired link for wan. Amazing results, no system logs about wan link up/down anymore and almost no Suricata alerts. I still get some 1:2210054                  SURICATA STREAM excessive retransmissions but I think they must be false positives as you wrote in your post.

    Is there a guide, tutorial or some document for suricata begginers and false positives? Thanks!!

    Jami



  • See this post, https://www.linkedin.com/pulse/qisniff-sniffs-quantum-injection-mayur-agnihotri, for details about the attack and the mention of the tool (qisniff).  Here is the link to the tool itself:  https://github.com/zond/qisniff

    Bill