Hi!
I was able to install Suricata using this tutorial https://blog.showipintbri.com/blog/suricata-vyos.
I’m having an issue with the TCP Engine, It’s giving out FIN recv without a session. I’m having this issue with all my clients, Windows, iOS, Mac. I see flows that are fine within the internal network, seems only what goes through the internet. I’m looking at what could be causing this error, on the hardware side everything is VMWare with VMXNET3.
I’m wondering if it’s safe to simply disable the rule? And what would be the best way? What could cause a FIN packet to be seen as “out of session”?
{“timestamp”:“2022-10-12T14:48:13.664048+0000”,“flow_id”:1660669829185583,“event_type”:“drop”,“src_ip”:“172.16.10.106”,“src_port”:52527,“dest_ip”:“64.62.250.111”,“dest_port”:443,“proto”:“TCP”,“drop”:{“len”:52,“tos”:0,“ttl”:63,“ipid”:0,“tcpseq”:3508652610,“tcpack”:1679436313,“tcpwin”:2048,“syn”:false,“ack”:true,“psh”:false,“rst”:false,“urg”:false,“fin”:true,“tcpres”:0,“tcpurgp”:0,“reason”:“stream error”}}
{“timestamp”:“2022-10-12T14:48:16.245297+0000”,“flow_id”:1660669829185583,“event_type”:“anomaly”,“src_ip”:“172.16.10.106”,“src_port”:52527,“dest_ip”:“64.62.250.111”,“dest_port”:443,“proto”:“TCP”,“anomaly”:{“type”:“stream”,“event”:“stream.fin_but_no_session”}}
Help is very much appreciated! Thanks!