I also have problems with a lot of logs, see How to stop IPS "SURICATA ICMPv4 invalid checksum" logs?
Hi!
I have fireinfo.ipfire.org - Profile 72a721ca22ee04f59b30ada2f17f4a85fb1ebd07 and I am using Emergingthreats.net Community Rules 2022-08-10 00:08:52.It seems like my HarmonyHub ( Harmony Hub = remote control system for TV etc = 192.168.0.57) is spamming the IPS logs every 30 seconds with:
Date: 08/11 10:08:02 Name: SURICATA ICMPv4 invalid checksum Priority: 3 Type: Generic Protocol Command Decode IP info: 192.168.0.254:0 → 192.168.0.57:0 References: none found SID: 2200076 It started like a month ago, don’t know if it was after update of HarmonyHub or Ipfire.
I have searched in WUI - Firewall - Intrusion Prevention - Customize Ruleset, but can’t find what to turn off to stop the flood.
While it is annoying, it is also making it hard to see if there are other important stuff in the logs that I should know about.
Any tips for fixing this, that do not include threats and/or violence against the stupid HarmonyHub?
So maybe I can temporary edit /usr/share/suricata/rules/decoder-events.rules, eg under # checksum rules comment out this:
alert icmp any any -> any any (msg:"SURICATA ICMPv4 invalid checksum"; icmpv4-csum:invalid; classtype:protocol-command-decode; sid:2200076; rev:2;)
Maybe with:
sed -i 's/alert icmp any any -> any any (msg:\"SURICATA ICMPv4/#alert icmp any any -> any any (msg:\"SURICATA ICMPv4/g' /usr/share/suricata/rules/decoder-events.rules
/etc/init.d/suricata restart
Is it possible to run the above automatically every time the rules have been updated? Naturally temporary until something better is figured out. Maybe put above commands in tempskipicmp.sh, then do fcrontab -e and edit
@ 12h [ -f "/var/ipfire/red/active" ] && /usr/local/bin/update-ids-ruleset >/dev/null 2>&1
to
@ 12h [ -f "/var/ipfire/red/active" ] && /usr/local/bin/update-ids-ruleset >/dev/null 2>&1 && /root/tempskipicmp.sh