Dealing with excessive IPS logs

I know this has been discussed before, but I haven’t seen a resolution. When there are over 20k hits in less than 12 hours, how is one to monitor IPS logs in a meaningful way? I just exported today’s IPS logs (midnight to 11:40am). Out of over 22k logs, these are the most excessive:
Name: SURICATA STREAM ESTABLISHED invalid ack 6049 hits
Name: SURICATA STREAM ESTABLISHED packet out of window 9669 hits
Name: SURICATA STREAM Packet with invalid ack 6087 hits
Name: SURICATA STREAM Packet with invalid timestamp 326 hits

Those were the big offenders, there were several other rules that were hit a more reasonable number of times for a 12 hour period.

What’s crazy is, if I look at yesterday’s logs, in a 24 hour period there were “only” 3482 hits.

Yesterday’s big offenders:
Name: SURICATA STREAM ESTABLISHED invalid ack 1495 hits
Name: SURICATA STREAM ESTABLISHED packet out of window 234 hits
Name: SURICATA STREAM Packet with invalid ack 1505 hits
Name: SURICATA STREAM Packet with invalid timestamp 161 hits

How do you all handle monitoring your IPS logs?

We are obviously in a different magnitude. My suricata hits are as follows:

Date Hits
11/8 23
10/8 24
9/8 36
8/8 25
7/8 20
6/8 143
5/8 34
4/8 25
3/8 11
2/8 17
1/8 7

I only have two rulesets defined in my IPS

The increase on 6th August was due to a change I made in my proxy setup which caused blocks of access from the proxy to the web server.
Fixed the change and the messages disappeared.

Screenshot_2024-08-11_19-28-51972×229 13.4 KB

Abuse.ch only has one rule top select.
For Emerging Threats I have the following selected

Screenshot_2024-08-11_19-31-16314×838 12.6 KB

I ignore entries like emerging-dshield.rules as I have dshield selected on my IP Blocklist and on my IP blocklist I ignore Spamhaus_drop as I have the Drop packets to and from hostile networks in the Firewall Options selected.

I then turn-off logging for drop hostile incoming as all of that is dropped anyway.
I keep the logging for drop hostile outgoing to see what is trying to access hostile networks going mout.

For the IPS, the categories are things related to my android phone that incorrectly set up for certain things and IPS drops those communications. It never interferes with my mobile wifi communication.

Another category is external sites trying to access web servers on my system via http (port 80) but those get dropped. In addition all http is redirected to https except for LetsEncrypt traffic.

The traffic on the firewall logs that tries to access my web server via https hits my authentication stage and never try further than that.

How many IPS rulesets do you have selected. If you select too many then you will, get a lot more hits. Make sure you only select what you really need for your network.

Make sure that you set anything that can be dropped by IP Blocklists in preference to IPS.
Use the IPFire firewall options to drop_hostile incoming and outgoing, then you don’t need to select those in the IP Blocklist or IPS.

The above is how I handle my home network but then I am the only user on the network and that makes it easier, assuming I can trust myself.

I was under the impression that the baked-in SURICATA rules were independent of the other rulesets. It sounds like you’re saying that the more Emerging, Talos, Abuse.ch, etc rulesets I enable, the more SURICATA STREAM hits there will be?

I do have many more rulesets enabled than you do.

I don’t get hardly any of the suricata stream hits.

If that is what you are experiencing then there must be some issue with your overall connection causing those message to occur.

I misunderstood what you were highlighting as the problem.

I am not sure if the solution to having too may suricata stream events is to stop logging the suricata stream events and pretend they are not happening.

I just did a quick check and on 11th Aug I had one stream event with a

3way handshake SYNACK with wrong ack

message from an external IP trying to access my android phone.

On the 8th August I had 2 stream events.

Packet with invalid timestamp
and
excessive retransmissions

The first was coming from my android phone and the second was from an external IP trying to access my IPFire system.

As an experiment, I will try disabling almost all of my rules to see if the SURICATA STREAM events will decrease. This is my home network as well. There are three of us living here, with two desktop PCs, a laptop, an iPad, 3 iPhones/iWatches, and several streaming services going to 2 TVs. Oh, and a Nintendo switch and an Ubuntu file server. Probably typical of most households, with the exception of the file server.

I suspect those won’t. I had missed that you were having a problem with those.

This might be more the reason. as the android phones and iphone/ipad/iwatch products don’t always do their internet communication in line with how they should.

However you should be able to see if one or more of these are the problem by looking at the suricata logs for the Stream Events and seeing if the source is one of those systems, presuming you have fixed IP’s for your ipad, iphone, iwatch systems.

My home system is one desktop PC, one server system, three laptop systems, one RPi running on my orange network as the dhcp server for all systems on my DMZ and one android mobile phone.

Everything is using Arch Linux except for the mobile phone which is on Android.
I use no streaming services at all.

EDIT:
I just found some comments in pfsense that suricata stream events are triggered by iOS devices, especially iPhones as they don’t follow the rules for adhering to the various networking standards.

Yes, that sounds right. I just checked and over 21k of those hits are either coming to or leaving my wife’s iPhone. Not sure what’s different about hers than mine or my son’s, I know she has a lot more apps installed.

Nice. I once aspired to be proficient with Arch, but never got around to it. I settled on MX Linux as my linux of choice, but only use it for special use cases, not as my daily driver. My file server is based on Ubuntu Server Edition 16.04.7 LTS with expanded security updates. I am less concerned with keeping it updated (beyond security patches) because it is a very simple file server that is only exposed to the LAN.

Had a similar situation with my wife’s phone.
1/2 if all connections involved her phone.
5 person house hold full of gamers.
Mostly google and Facebook analytics.
Blocked some and throttled the rest.

How did you go about that?

firewall rules. host group and limited connections to 1.

This seems to be making a big difference. I wasn’t sure how to make the FW rule, but what I figured out seems to be working.

-Set up a host group called iPhones
-Add iPhone IPs as Hosts, then put the hosts into the iPhones Host Group (must be fixed or set on super long leases that are extremely unlikely to change)
-Create a new FW rule:
–Source will be Network/Host Groups: iPhones
–leave NAT unchecked
–Destination will be Firewall: All
–Protocol: All
–ACCEPT connections
–Limit concurrent connections per IP Address to 1

@bonnietwin @hvacguy please verify I didn’t configure this rule incorrectly.

The main thing I’m unsure of is if I’m inadvertently leaving these devices open for attack with the the ACCEPT setting for Firewall: ALL

Thanks.

I am not that familiar with rules being used in the manner you have described so I am not sure I am that good a person to give advice on that.

I will need to think about the rule and see if I can come to some conclusion.

@hvacguy might be better to comment as it sounds like he is doing a similar thing so will have experience.

That is what I did.
Made the rule from the perspective of Default policy Block.
Could make it more restrictive if I setup Service Groups For phones…
Don’t understand why It will not work with NAT.?

Can you screenshot the firewall rule so I can compare to mine? I can also screenshot mine.

here it is.

Screenshot982×1294 78.2 KB

Thanks. Here’s mine. They’re a bit different.

fw_iphone762×912 34.8 KB

I’ve switched back and forth between our firewall rules (changing destination from RED to Firewall ALL and vice versa) and after a period of time now it does not seem like the rule is doing anything. The mobile devices will have their way, regardless. LOL

Do you redirect your DNS in IPfire
As described in the wiki?

Yep, I sure do.