Bug #5032
closedSuricata throwing wrong seq number alert when packets are only reordered
Description
I've been experimenting with Suricata and it seems to me that Suricata outputs many false alerts about incorrect 3-way handshake SEQ numbers. I am attaching a PCAP to demonstrate the mentioned cases.
So in the PCAP, there is a conversation on port 40982 where packet number 1590 initiates conversation (SYN). Then the next packet in the PCAP is not the ordinary SYN,ACK, instead it is ACK of the SYN,ACK that is yet to come. Packet #1803 generates the first alert regarding the wrong SEQ number. All the remaining packets are then flagged with an incorrect SEQ number alert.
The traffic in the PCAP is mixed as Suricata sometimes did not generate alerts when there was only the conversation on port 40982. This would indicate that Suricata can reorder the packets correctly with a smaller number of packets but not when the traffic is mixed with other streams. This case happened only when I was replaying the traffic onto Suricata. Interestingly, reading the PCAP offline always leads to the aforementioned alerts.
As soon as Suricata gets misaligned on SEQ numbers, it keeps throwing alerts on all remaining packets of the conversation.
Triggered alert rule:
alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake wrong seq wrong ack"; stream-event:3whs_wrong_seq_wrong_ack; classtype:protocol-command-decode; sid:2210010; rev:2;)
I am using compiled Suricata master.
Files