Noisy Suricata invalid Checksum alert

[Ted Brand]

I am having a bit of an issue tuning some specific Suricata alerts in Security Onion. There are 3 alerts in particular, (Suricata UDPv4 invalid checksum, Suricata TCPv4 invalid Checksum, and Suricata IPv4 invalid checksum) that are firing about off at about a count of 100,000 over the course of 20 minutes and growing. I have tried numerous ways to turn off this alert but it still continues to fire.

The steps I have taken so far:
Disabled SID's in Pulled Pork's disablesid.conf
1:2200073
1:2200074
1:2200075
1:2200076

Turned off checksum stream validation in suricata.yaml

Commented out all of the checksum rules alerts in decoder-events.rules in regards to SURICATA invalid checksum.

After running a /usr/bin/rule-update and then a service nsm restart, these alerts are still coming into Squil/Squert.


My understanding of tuning Security Onion may be incorrect, but shouldn't turning off the alerting stop the alert from showing in these?

[Wes Lambert]

Ted,

Could it be that you are still seeing a backlog of alerts from barnyard2  from before you disabled the rules? 

Thanks,
Wes

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

[Ted Brand]

Good Evening,
It looks like this is the case. Since some many alerts came in, even after I disabled them they were still adding to the backlog in sguil. I checked on these the next day and they stopped coming in.

Thanks for the info.

Ted