Several stream.pkt_broken_ack alerts with Suricata 7.0.6

1

Hi all,

I have installed three Suricata sensors under Debian 12. I am seeing several alerts with stream.pkt_broken_ack alerts, but these alerts only affects to encrypted ports: https and kerberos mainly.

How can I debug this?

In my stats.log file:
‘’------------------------------------------------------------------------------------
Date: 9/2/2024 – 15:43:00 (uptime: 0d, 00h 14m 23s)

Counter | TM Name | Value

capture.kernel_packets | Total | 24558
capture.afpacket.polls | Total | 38816
capture.afpacket.poll_timeout | Total | 30940
capture.afpacket.poll_data | Total | 7876
decoder.pkts | Total | 24572
decoder.bytes | Total | 12659258
decoder.ipv4 | Total | 24572
decoder.ethernet | Total | 24572
decoder.tcp | Total | 24388
tcp.syn | Total | 36
tcp.synack | Total | 21
decoder.udp | Total | 48
decoder.icmpv4 | Total | 136
decoder.avg_pkt_size | Total | 515
decoder.max_pkt_size | Total | 1514
tcp.active_sessions | Total | 4
flow.total | Total | 70
flow.active | Total | 30
flow.tcp | Total | 46
flow.udp | Total | 24
flow.wrk.spare_sync_avg | Total | 100
flow.wrk.spare_sync | Total | 4
flow.wrk.flows_evicted_needs_work | Total | 18
flow.wrk.flows_evicted_pkt_inject | Total | 18
flow.wrk.flows_injected | Total | 18
tcp.sessions | Total | 24
tcp.ssn_from_cache | Total | 12
tcp.ssn_from_pool | Total | 12
tcp.pseudo | Total | 2
tcp.segment_from_cache | Total | 121
tcp.segment_from_pool | Total | 48
tcp.overlap | Total | 1
detect.alert | Total | 10
detect.alerts_suppressed | Total | 92
detect.mpm_list | Total | 1
detect.nonmpm_list | Total | 387
detect.fnonmpm_list | Total | 48
detect.match_list | Total | 49
app_layer.flow.tls | Total | 1
app_layer.flow.ntp | Total | 19
app_layer.tx.ntp | Total | 19
app_layer.flow.krb5_tcp | Total | 15
app_layer.tx.krb5_tcp | Total | 30
app_layer.flow.failed_tcp | Total | 5
app_layer.flow.dns_udp | Total | 5
app_layer.tx.dns_udp | Total | 10
flow.end.state.new | Total | 7
flow.end.state.established | Total | 16
flow.end.state.closed | Total | 17
flow.end.tcp_state.syn_sent | Total | 3
flow.end.tcp_state.closed | Total | 17
flow.mgr.full_hash_pass | Total | 84
flow.mgr.rows_per_sec | Total | 6553
flow.spare | Total | 9622
flow.mgr.rows_maxlen | Total | 1
flow.mgr.flows_checked | Total | 351
flow.mgr.flows_notimeout | Total | 311
flow.mgr.flows_timeout | Total | 40
flow.mgr.flows_evicted | Total | 40
flow.mgr.flows_evicted_needs_work | Total | 18
memcap_pressure | Total | 5
memcap_pressure_max | Total | 5
flow.recycler.recycled | Total | 22
flow.recycler.queue_max | Total | 2
tcp.memuse | Total | 2424832
tcp.reassembly_memuse | Total | 487424
flow.memuse | Total | 7234304’’

2

You would have to look into the traffic examples, ideally in a pcap and see if there is some part missing or broken.

3

This counter counts packet that have no “ACK” flag, but do have a non-0 ACK field.

You can use

alert tcp any any -> any any (msg:"SURICATA STREAM Packet with broken ack"; stream-event:pkt_broken_ack; threshold:type backoff, track by_flow, count 1, multiplier 10; classtype:protocol-command-decode; sid:2210051; rev:3;)

from stream-events.rules to see which traffic causes this.