I am using Suricata in IDS mode only. When i set
stream.inline: yes i get a big increase of alerts of the following rule:
alert ssh $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN LibSSH Based Frequent SSH Connections Likely BruteForce Attack"; flow:established,to_server; content:"SSH-"; content:"libssh"; within:20; threshold: type both, count 5, seconds 30, track by_src; reference:url,doc.emergingthreats.net/2006546; classtype:attempted-admin; sid:2006546; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
What is the reason behind this behaviour? Should i leave
stream.inline: yes or switch it to "“auto” or “no”?
We’re trying to better understand this situation. Would you be able to provide a pcap showcasing the traffic that is generating more alerts when
stream.inline is “yes”?
Also, could you tell us which version of Suri you are running, just so we have a bigger picture?
Thanks in advance!
I am using the latest stable version of Suricata. I will try to get a PCAP but it will take some time.
Alright, and thanks!
So far, as a heads-up, this may be a case of lack of documentation. If you set
stream.inline: no you don’t get the increase, right? What happens if you keep that as
no but pass the command-line option
--simulate-ips? Are the results similar to having it as
The results appear not to be similar. With
stream.inline: auto and --simulate-ips i do not have the increase. In IDS mode should i leave this to “no” or “auto”?
Thanks for your answer
I would say that
auto is a safer option, for now.