pfSense Gold Subscription

Author Topic: Suricata blocks torrent traffic  (Read 162 times)

0 Members and 1 Guest are viewing this topic.

Offline limis

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Suricata blocks torrent traffic
« on: November 30, 2017, 03:34:09 am »
Hi,

Suricata goes mad and blocks my torrent traffic though p2p rule is not enabled.

I have just these rules enabled:

emerging-attack_response.rules
emerging-botcc.portgrouped.rules
emerging-botcc.rules
emerging-ciarmy.rules
emerging-compromised.rules   
emerging-current_events.rules
emerging-dos.rules
emerging-dshield.rules   
emerging-exploit.rules
emerging-malware.rules
emerging-mobile_malware.rules
emerging-rbn-malvertisers.rules
emerging-trojan.rules
emerging-worm.rules


There are a lot of alerts with description:

SURICATA STREAM Packet with invalid timestamp

SURICATA STREAM excessive retransmissions


How to fix it ?

What are recommended rule sets to not disturb p2p traffic and have safe LAN ?

regards

« Last Edit: November 30, 2017, 04:38:03 am by limis »

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3173
  • Karma: +821/-0
    • View Profile
Re: Suricata blocks torrent traffic
« Reply #1 on: November 30, 2017, 07:05:26 am »
Hi,

Suricata goes mad and blocks my torrent traffic though p2p rule is not enabled.

I have just these rules enabled:

emerging-attack_response.rules
emerging-botcc.portgrouped.rules
emerging-botcc.rules
emerging-ciarmy.rules
emerging-compromised.rules   
emerging-current_events.rules
emerging-dos.rules
emerging-dshield.rules   
emerging-exploit.rules
emerging-malware.rules
emerging-mobile_malware.rules
emerging-rbn-malvertisers.rules
emerging-trojan.rules
emerging-worm.rules


There are a lot of alerts with description:

SURICATA STREAM Packet with invalid timestamp

SURICATA STREAM excessive retransmissions


How to fix it ?

What are recommended rule sets to not disturb p2p traffic and have safe LAN ?

regards

Go to the SYSTEM > ADVANCED menu in pfSense and then to the Networking tab.  Check the three checkboxes to Disable Hardware Checksum Offload, Disable Hardware TCP Segmentation Offloading and Disable Hardware Large Receive Offloading.

If that does not stop the problem, then just disable those rules by clicking the red X beside the alert in the GID:SID column on the ALERTS tab.

Bill

Offline limis

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: Suricata blocks torrent traffic
« Reply #2 on: December 01, 2017, 12:15:33 am »
thanks. it helped with torrents :)