Please include the following information with your help request:
- Suricata version
7.0.1
- Operating system and/or Linux distribution
FreeBSD and linux on arm
- How you installed Suricata (from source, packages, something else)
packages
Hello, I’m hunting a spyware that seems controlled by a very advanced hacking group.
It means that the part of spyware could be resident on the ISP infrastructure.
Anyway suricata show me some log that in my opinion are false positives or just warning message.
That is:
(2927) [1:2210044:2] SURICATA STREAM Packet with invalid timestamp [Classification: Generic Protocol Command Decode] [Priority: 3]
(66) [1:2210038:2] SURICATA STREAM FIN out of window [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP}
(1) [1:2210056:1] SURICATA STREAM bad window update [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP}
(1216) [1:2200073:2] SURICATA IPv4 invalid checksum [Classification: Generic Protocol Command Decode] [Priority: 3] {UDP}
(156) [1:2200075:2] SURICATA UDPv4 invalid checksum [Classification: Generic Protocol Command Decode] [Priority: 3] {UDP}
(17) [1:2210054:1] SURICATA STREAM excessive retransmissions [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP}
(38) [1:2210020:2] SURICATA STREAM ESTABLISHED packet out of window [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP}
(2) [1:2221010:1] SURICATA HTTP unable to match response to request [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP}
(2) [1:2031231:3] ET INFO Observed ZeroSSL SSL/TLS Certificate [Classification: Misc activity] [Priority: 3] {TCP}
These logs are since 22-12-2023 to today 30-12-2023. In the first parenthesis there is the number of the messages found in the log.
For example, the following message
SURICATA IPv4 invalid checksum [Classification: Generic Protocol Command Decode] [Priority: 3] {UDP}
is found 1216 times.
Thanks.