Because of these alerts, our custom made IDS struggles to process the .json files generated by suricata, and in addition, these json files are of a considerable size unlike all other installations.
Are you monitoring a physical interface inside the VM? Or one that is part of a bridge? If so, you likely need to disable hardware offloading on the physical interface.
We would like to avoid disabling the offload checksum. Would setting the PCI passthrough of the NIC to the VM be a solution?
Since this is the first time these types of problems have occurred, I would also ask if a solution could be to modify the above rules or if some specific configuration of the suricata.yaml could help.
Passthrough could work. Then Suricata will disable the offloads for you.
It would be the first thing I’d try.
These signatures are just reporting what they see, so the only modification would be to disable them. As it usually represents a problem in the setup, quite often hardware offloads.
Thanks Jason, no doubt we will try pcie passtrough.
As for disabling the rule or hardware offload, in these two cases could it affect Suricata’s ability to detect evasion methods such as checksum manipulation?
I’m not exactly sure the details of what checksum manipulation looks like. But for Suricata to properly determine what the checksum is, hardware offloading needs to be disabled. So disabling offloads should only help here.