86601^Not Suspicious Traffic$Suricata: Alert - $(alert.signature)no_full_log86601^53$Suricata: Alert - $(alert.signature)no_full_log86601^SURICATA STREAM SHUTDOWN RST invalid ack$Suricata: Alert - $(alert.signature)no_full_log100510flow.src_ipSuricata: Alert - $(alert.signature)no_full_log86601SURICATA STREAM ESTABLISHED SYNACK resend with different ACKSuricata: TCP handshake anomaly (retransmission/reordering/capture/offload) - noise reductionno_full_log100512flow.src_ipSuricata: Repeated SYNACK resend anomalies from same host (possible evasion / broken TCP stack / capture issue)T1046no_full_log86601(Applayer Mismatch|malformed request|unable to match|Sipvicious|SCAN)Suricata: Alert - $(alert.signature)no_full_log86601^SURICATA STREAM reassembly overlap with different data$Suricata: Alert - $(alert.signature)no_full_log100530flow.src_ipSuricata: Alert - $(alert.signature)no_full_log86601^SURICATA STREAM Packet with invalid ack$Suricata: Alert - $(alert.signature)no_full_log100532flow.src_ipSuricata: Alert - Multiple TCP ack invalides - Possible ataque TCPno_full_log86601^ET INFO TLS Handshake Failure$Suricata: Alert - $(alert.signature)no_full_log100540flow.src_ipSuricata: Alert - $(alert.signature)no_full_log86601^ET INFO Microsoft Connection Test$Suricata: Alert - $(alert.signature)no_full_log100550flow.src_ipSuricata: Alert - NCSI excessif - Problème réseauno_full_log86601^SURICATA STREAM Packet with invalid timestamp$Suricata: Alert - $(alert.signature)no_full_log100560flow.src_ipSuricata: Alert - Multiple timestamps invalides - Possible évasion IDSno_full_log86601^SURICATA STREAM FIN out of window$Suricata: Alert - $(alert.signature)no_full_log100570flow.src_ipSuricata: Alert - Multiple FIN Anormaux - Possible problème réseau ou attaqueno_full_log86601^SURICATA STREAM FIN invalid ack$Suricata: Alert - $(alert.signature)no_full_log100572^SURICATA STREAM FIN invalid ack$Suricata: Alert - $(alert.signature)no_full_log86601^SURICATA UDPv6 invalid checksum$5353Suricata: Alert - $(alert.signature)no_full_log86601^SURICATA UDPv6 invalid checksum$flow.src_ipSuricata: Alert - IPv6 UDP malformed packet flooding (repeated invalid checksum)T1046no_full_log86601^SURICATA SMB too many transactions$(10.171.101.36|10.172.101.113)Suricata: Alert - $(alert.signature)no_full_log86601^SURICATA SMB too many transactions$(10.171.101.36|10.172.101.113)Suricata: Alert - $(alert.signature)no_full_log100591flow.src_ip10.171.101.36^SURICATA SMB too many transactions$Suricata : Possible SMB enumeration or ransomware activityT1021.002no_full_log86601^ET INFO SMB2 NT Create AndX Request For an Executable File$Suricata: Filtrage executable file SMBno_full_log100592.+Suricata: Filtrage executable file SMBno_full_log100593(?i)Systeme.*\.exe
Suricata: Known business software (Sphinx) executed from SMB share
no_full_log100593^ET INFO SMB2 NT Create AndX Request For an Executable File$(?i)\.(pdf|docx?|xlsx?|pptx?|txt|jpe?g|png|gif|csv|zip|rar)Suricata: Fichier executable dans dossier partagé86601ET INFO SMB2 NT Create AndX Request For a DLL File - Possible Lateral Movement10.171.101.36Suricata : SMB DLL access on file server (often legitimate shared app/library)no_full_log86601ET INFO SMB2 NT Create AndX Request For a DLL File - Possible Lateral Movement10.171.101.36Suricata : SMB DLL access on file server (often legitimate shared app/library)no_full_log86601SURICATA SMB file overlapSuricata: SMB file overlap (normal SMB read behaviour)no_full_log86601DoHSuricata : DNS over HTTPSno_full_log100600^10\.172\.253\.Suricata DNS over HTTPS VLAN ADMINSYST1071.004no_full_log86601SURICATA STREAM bad window updateSuricata : Network/offloading/capture noiseSno_full_log100610src_ipHigh rate of TCP bad window updates from same host (possible local network stack/capture issue)T1071.004no_full_log86601SURICATA UDPv4 invalid checksumSuricata : UDPv4 invalid checksum - likely NIC offload/SPAN capture noise (often QUIC)no_full_log100620flow.src_ipHigh rate of UDPv4 invalid checksum from same host (possible malformed UDP flood / DoS)no_full_log86601
SURICATA STREAM CLOSEWAIT FIN out of window
Suricata: TCP CLOSEWAIT FIN anomaly on known supervision traffic (likely FP)
no_full_log100630src_ip
Suricata: Repeated TCP CLOSEWAIT FIN anomalies from same host (possible evasion or broken TCP stack)
T1046no_full_log86601SURICATA STREAM ESTABLISHED packet out of windowSuricata: TCP stream out-of-window (likely retransmission/capture/offload) - noise reductionno_full_log100632flow.src_ipSuricata: Repeated TCP out-of-window packets from same host (possible evasion / unstable TCP stack / capture issue)T1046no_full_log86601ET INFO Session Traversal Utilities for NAT (STUN Binding Response)Suricata: STUN binding response (likely WebRTC/VoIP)no_full_log100640192\.168\.12\.*Suricata: STUN binding response (likely WebRTC/VoIP) - noise reductionno_full_log10064010\.17[0-9]\.[1|2]\.Suricata: STUN binding response (likely WebRTC/VoIP) - noise reductionno_full_log100640flow.src_ipSuricata: Abnormal STUN activity burst (possible tunneling / unauthorized VoIP / P2P)T1071no_full_log86601SURICATA STREAM ESTABLISHED invalid ack8007Ignore Suricata invalid ack between PBS during replicationno_full_log86601SURICATA STREAM ESTABLISHED invalid ack8007Ignore Suricata invalid ack between PBS during replicationno_full_log86601SURICATA STREAM ESTABLISHED packet out of window8007Ignore Suricata out of window between PBS during replicationno_full_log86601SURICATA STREAM ESTABLISHED packet out of window8007Ignore Suricata out of window between PBS during replicationno_full_log