Bug #2338
closedmultiple drop rules triggered for same packet
Description
I may be wrong but I have read that once a drop rule was in effect, the packet doesn’t get processed any further down the chain.
I am using Suricata 4.0.1 with OPNsense using IPS/inline mode.
I am seeing multiple ET rules drop from the same packet in the logs quite frequently. My concern is some rules are alerts and some are drops and I have no idea which rule would be in effect. I assume the last rule, but I have no control over rule order.
Is Suricata suppose to work this way? Is there an option change I can make in suricata.yaml to stop this?
I have attached an example of two drop rules that matched the same packet.
Files
Updated by Dan Collins almost 7 years ago
According to the suricata manual http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html
Drop-
This only concerns the IPS/inline mode. If the program finds a signature that matches, containing drop, it stops immediately. The packet will not be sent any further. Drawback: The receiver does not receive a message of what is going on, resulting in a time-out (certainly with TCP). Suricata generates an alert for this packet.
This is not happening.
Updated by Andreas Herz almost 7 years ago
- Assignee set to Anonymous
- Target version set to Support
Did you look into how the rules were added? Most the rules are alert by default and need to be converted to drop instead. If I look into your screenshots it looks like the rules are still just alert rules.
What Action is defined under Services -> Intrusion Detection -> Rules in your OPNSense?
Updated by Dan Collins almost 7 years ago
All of my testing was done with IPS Inline mode.
Here is an example of 2 drops from the same packet
Updated by Andreas Herz over 5 years ago
Hi, we're closing this issue since there have been no further responses.
If you think this bug is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs