Hunting a spyware and log messages

Please include the following information with your help request:

  • Suricata version

7.0.1

  • Operating system and/or Linux distribution

FreeBSD and linux on arm

  • How you installed Suricata (from source, packages, something else)

packages

Hello, I’m hunting a spyware that seems controlled by a very advanced hacking group.
It means that the part of spyware could be resident on the ISP infrastructure.
Anyway suricata show me some log that in my opinion are false positives or just warning message.
That is:

(2927)  [1:2210044:2] SURICATA STREAM Packet with invalid timestamp [Classification: Generic Protocol Command Decode] [Priority: 3]
(66)    [1:2210038:2] SURICATA STREAM FIN out of window [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP}
(1)     [1:2210056:1] SURICATA STREAM bad window update  [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP}
(1216)  [1:2200073:2] SURICATA IPv4 invalid checksum  [Classification: Generic Protocol Command Decode] [Priority: 3] {UDP}
(156)   [1:2200075:2] SURICATA UDPv4 invalid checksum  [Classification: Generic Protocol Command Decode] [Priority: 3] {UDP}
(17)    [1:2210054:1] SURICATA STREAM excessive retransmissions  [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP}
(38)    [1:2210020:2] SURICATA STREAM ESTABLISHED packet out of window  [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP}
(2)     [1:2221010:1] SURICATA HTTP unable to match response to request  [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP}
(2)     [1:2031231:3] ET INFO Observed ZeroSSL SSL/TLS Certificate  [Classification: Misc activity] [Priority: 3] {TCP}

These logs are since 22-12-2023 to today 30-12-2023. In the first parenthesis there is the number of the messages found in the log.
For example, the following message

SURICATA IPv4 invalid checksum [Classification: Generic Protocol Command Decode] [Priority: 3] {UDP}

is found 1216 times.

Thanks.

Those are stream related signatures, so they rather detect issues with the traffic itself instead of actual attacks. The description should tell you already what is wrong and sometimes helps debugging network issues.

thanks for your reply. I don’t really know where to look to find this damn spyware. Is that possible to append the ssl key somewhere alongside the legal stream ? In this way the attacker would be able to decrypt the traffic… I’m looking for a state-sponsored spyware. Would u have any advice to check easly the entire stream of data to check if the protocol syntax is respected ?

Thanks.

Do you have a pcap of that?

Hello, I’m sorry for late… but I didn’t think to have other replies.
Anyway obviously I have some pcap…

In that case provide the pcap.