Suricata Messages 2210007 after Update 171

Hi,

first the Upgrade to the new version worked without any problems and the system and also Suricata is running.

What i can see over the last days are a lot of Suricata logs for connections with DNS servers.
I have a DNS server from our provider (German Telekom) and also from Google configured an I get the messages for both systems.

Datum: 10/25 04:33:13 Name: SURICATA STREAM 3way handshake SYNACK with wrong ack
Priorität: 3 Typ: Generic Protocol Command Decode
IP-Info: 217.0.43.193:53 → 192.168.1.2:57442
Referenzen: nichts gefunden SID: 2210007
Datum: 10/25 04:33:13 Name: SURICATA STREAM 3way handshake SYNACK with wrong ack
Priorität: 3 Typ: Generic Protocol Command Decode
IP-Info: 8.8.8.8:53 → 192.168.1.2:46304
Referenzen: nichts gefunden SID: 2210007

If you look for the reference number you will find nothing and i can also find no rule for this.
We use the VTR rules for registered users and they worked in the past without any problems.

At the moment I’m a little bit scared that Suricata blocks connections to the DNS servers and make it so difficult to work with all the systems in the internal network.

Best

Silvio

Hi Silvio,

this log comes from the suricata default rules. Prio 3 says in this case no connection was blocked. But it shows that s.th. went wrong/ some element is not configured correctly. So no reason to be scared.

I am not happy with this change, but as I understood it is the actual version of suricata that cause it.

You might ref to: https://community.ipfire.org/t/disable-default-suricata-rules/8137 to have a look at a concerning conversation.

BR Wayne

2 Likes

Hi Wayne,

that was fast, thank you.
Yes i was a little bit confused because I could not find the rule. Your info was the missing part.

Thank you

Silvio

1 Like