86601 ^Not Suspicious Traffic$ Suricata: Alert - $(alert.signature) no_full_log 86601 ^53$ Suricata: Alert - $(alert.signature) no_full_log 86601 ^SURICATA STREAM SHUTDOWN RST invalid ack$ Suricata: Alert - $(alert.signature) no_full_log 100510 flow.src_ip Suricata: Alert - $(alert.signature) no_full_log 86601 SURICATA STREAM ESTABLISHED SYNACK resend with different ACK Suricata: TCP handshake anomaly (retransmission/reordering/capture/offload) - noise reduction no_full_log 100512 flow.src_ip Suricata: Repeated SYNACK resend anomalies from same host (possible evasion / broken TCP stack / capture issue) T1046 no_full_log 86601 (Applayer Mismatch|malformed request|unable to match|Sipvicious|SCAN) Suricata: Alert - $(alert.signature) no_full_log 86601 ^SURICATA STREAM reassembly overlap with different data$ Suricata: Alert - $(alert.signature) no_full_log 100530 flow.src_ip Suricata: Alert - $(alert.signature) no_full_log 86601 ^SURICATA STREAM Packet with invalid ack$ Suricata: Alert - $(alert.signature) no_full_log 100532 flow.src_ip Suricata: Alert - Multiple TCP ack invalides - Possible ataque TCP no_full_log 86601 ^ET INFO TLS Handshake Failure$ Suricata: Alert - $(alert.signature) no_full_log 100540 flow.src_ip Suricata: Alert - $(alert.signature) no_full_log 86601 ^ET INFO Microsoft Connection Test$ Suricata: Alert - $(alert.signature) no_full_log 100550 flow.src_ip Suricata: Alert - NCSI excessif - Problème réseau no_full_log 86601 ^SURICATA STREAM Packet with invalid timestamp$ Suricata: Alert - $(alert.signature) no_full_log 100560 flow.src_ip Suricata: Alert - Multiple timestamps invalides - Possible évasion IDS no_full_log 86601 ^SURICATA STREAM FIN out of window$ Suricata: Alert - $(alert.signature) no_full_log 100570 flow.src_ip Suricata: Alert - Multiple FIN Anormaux - Possible problème réseau ou attaque no_full_log 86601 ^SURICATA STREAM FIN invalid ack$ Suricata: Alert - $(alert.signature) no_full_log 100572 ^SURICATA STREAM FIN invalid ack$ Suricata: Alert - $(alert.signature) no_full_log 86601 ^SURICATA UDPv6 invalid checksum$ Suricata: Alert - $(alert.signature) no_full_log 100580 ^SURICATA UDPv6 invalid checksum$ 5353 Suricata: Alert - $(alert.signature) no_full_log 100580 ^SURICATA UDPv6 invalid checksum$ flow.src_ip Suricata: Alert - IPv6 UDP malformed packet flooding (repeated invalid checksum) T1046 no_full_log 86601 ^SURICATA SMB too many transactions$ (10.171.101.36|10.172.101.113) Suricata: Alert - $(alert.signature) no_full_log 86601 ^SURICATA SMB too many transactions$ (10.171.101.36|10.172.101.113) Suricata: Alert - $(alert.signature) no_full_log 100591 flow.src_ip 10.171.101.36 ^SURICATA SMB too many transactions$ Suricata : Possible SMB enumeration or ransomware activity T1021.002 no_full_log 86601 ^ET INFO SMB2 NT Create AndX Request For an Executable File$ Suricata: Filtrage executable file SMB no_full_log 100600 .+ Suricata: Filtrage executable file SMB no_full_log 100601 (?i)\.(pdf|docx?|xlsx?|pptx?|txt|jpe?g|png|gif|csv|zip|rar) Suricata: Fichier executable dans dossier partagé 86601 ET INFO SMB2 NT Create AndX Request For a DLL File - Possible Lateral Movement Suricata : SMB DLL access no_full_log 100610 10.171.101.36 Suricata : SMB DLL access on file server (often legitimate shared app/library) no_full_log 100610 10.171.101.36 Suricata : SMB DLL access on file server (often legitimate shared app/library) no_full_log 86601 SURICATA SMB file overlap Suricata: SMB file overlap (normal SMB read behaviour) no_full_log 86601 SURICATA STREAM bad window update Suricata : Network/offloading/capture noiseS no_full_log 100630 src_ip High rate of TCP bad window updates from same host (possible local network stack/capture issue) T1071.004 no_full_log 86601 SURICATA UDPv4 invalid checksum Suricata : UDPv4 invalid checksum - likely NIC offload/SPAN capture noise (often QUIC) no_full_log 100640 flow.src_ip High rate of UDPv4 invalid checksum from same host (possible malformed UDP flood / DoS) no_full_log 86601 SURICATA STREAM CLOSEWAIT FIN out of window Suricata: TCP CLOSEWAIT FIN anomaly on known supervision traffic (likely FP) no_full_log 100650 src_ip Suricata: Repeated TCP CLOSEWAIT FIN anomalies from same host (possible evasion or broken TCP stack) T1046 no_full_log 86601 SURICATA STREAM ESTABLISHED packet out of window Suricata: TCP stream out-of-window (likely retransmission/capture/offload) - noise reduction no_full_log 100660 flow.src_ip Suricata: Repeated TCP out-of-window packets from same host (possible evasion / unstable TCP stack / capture issue) T1046 no_full_log 100660 8007 22:00-23:00 Ignore Suricata out of window between PBS during replication no_full_log 100660 8007 22:00-23:00 Ignore Suricata out of window between PBS during replication no_full_log 86601 ET INFO Session Traversal Utilities for NAT (STUN Binding Response) Suricata: STUN binding response (likely WebRTC/VoIP) no_full_log 100670 192\.168\.12\.* Suricata: STUN binding response (likely WebRTC/VoIP) - noise reduction no_full_log 100670 10\.17[0-9]\.[1|2]\. Suricata: STUN binding response (likely WebRTC/VoIP) - noise reduction no_full_log 100670 flow.src_ip Suricata: Abnormal STUN activity burst (possible tunneling / unauthorized VoIP / P2P) T1071 no_full_log 86601 SURICATA STREAM ESTABLISHED invalid ack Suricata invalid ack no_full_log 100680 8007 22:00-23:00 Ignore Suricata invalid ack between PBS during replication no_full_log 100680 8007 22:00-23:00 Ignore Suricata invalid ack between PBS during replication no_full_log 86601 DoH Suricata : DNS over HTTPS no_full_log 100700 ^10\.172\.253\. Suricata DNS over HTTPS VLAN ADMINSYS T1071.004 no_full_log