To address these alerts I've added the entries into the thresholds.conf file and restarted the services. The problem is that no matter how I add these entries in they're never getting suppressed.
I've tried (this rule is for "stream5: TCP Small Segment Threshold Exceeded"):
-suppress gen_id 129, sig_id 12
then:
-suppress gen_id 129, sig_id 12, track by_src 192.168.1.1/24
then:
-suppress gen_id 129, sig_id 12, track by_src 192.168.1.1/24
-suppress gen_id 129, sig_id 12, track by_dst 192.168.1.1/24
Each time I've got to go in and stop the services, manually clear out all of the alerts in the Sguil DB (since there's as many as 100k within a minute or two of restarting the services), then start the services back up, rinse and repeat.
I'd really like to figure out what caused the Stream5 messages to blow up and if it requires some config changes in the snort.conf file from me but I'd also like to get this addressed so I can use Sguil again and have fought this for two days.
Attachd my Sostat-redacted for review (keep in mind that I just cleared all of the Sguil events just a minute or two before getting this output) and as always any help is greatly appreciated!
Thanks,
Kevin
Kevin,
Are you modifying this on the sensor or the server? Did you run a rule update on the server? If so, try running sudo salt "*" state.highstate to immediately update the sensor configuration.
Salt auto-replicates this information to the sensors every 15 minutes--is there any chance you edited it on the sensor and the configuration got overwritten?
Thanks,
Wes
I'm modifying this is on the server itself (it's a standalone setup). I did run rule-update with no change.
Ultimately, it may be better to try tuning the preprocessor in /etc/nsm/hostname-interface/snort.conf.
https://www.snort.org/faq/readme-stream5
Thanks,
Wes
What are some things that I should look into tuning with the preprocessor in /etc/nsm/hostname-interface/snort.conf?
Hi Shane,
That's correct. I've read (in this group) that you want to tune it versus disabling it since there is the threshold.conf file now. Haven't read that particular document yet but will look into it.
Thanks,
Kevin
I'll work on the settings from the link you provided and report back with the outcome.
Thanks!
Kevin
Worked through the link you provided and still getting "stream5:TCP small segment threshold exceeded", "ssh:protocol mismatch", and "http_inspect" alerts like crazy.
Especially odd with the "ssh:protocol mismatch" alerts since I followed to-
In "preprocessor ssh", remove "enable_protomismatch"
Running a rule-update didn't change it either. Any other ideas?
Thanks!
Kevin
The timestamps are all current once I kick the services back on after clearing out the Sguil DB so I don't believe it's backlogged.
I'm following Richard Bejtlich's blog post (http://taosecurity.blogspot.com/2013/02/recovering-from-suricata-gone-wild.html) to address all of the Sguil alerts.
Thanks!
Kevin
Modifications to the threshold.conf were made on eth1 and then the file was copied to the additional interfaces to avoid editing mishaps.
Despite my issues with Suricata and stale PIDs, I've switched back from Snort to Suricata, ran a rule update, and now things are back to normal. No idea why Snort was giving such a headache but it's resolved now. If I have anymore issues I'm going to bite the bullet and rebuild the box from scratch.
It's not the best approach to resolve problems like these as I really did want to get to the root cause for myself and anyone else reading this but time is limited.
Thanks everyone for the help and being an awesome community!
Kevin