Project

General

Profile

Actions

Bug #2338

closed

multiple drop rules triggered for same packet

Added by Dan Collins about 7 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

I may be wrong but I have read that once a drop rule was in effect, the packet doesn’t get processed any further down the chain.
I am using Suricata 4.0.1 with OPNsense using IPS/inline mode.
I am seeing multiple ET rules drop from the same packet in the logs quite frequently. My concern is some rules are alerts and some are drops and I have no idea which rule would be in effect. I assume the last rule, but I have no control over rule order.
Is Suricata suppose to work this way? Is there an option change I can make in suricata.yaml to stop this?

I have attached an example of two drop rules that matched the same packet.


Files

IPS5.jpg (42.4 KB) IPS5.jpg Dan Collins, 12/07/2017 05:16 PM
IPS4.jpg (46.9 KB) IPS4.jpg Dan Collins, 12/07/2017 05:16 PM
IPS2.jpg (53.6 KB) IPS2.jpg Dan Collins, 12/19/2017 08:46 AM
Actions #1

Updated by Dan Collins about 7 years ago

According to the suricata manual http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html

Drop-
This only concerns the IPS/inline mode. If the program finds a signature that matches, containing drop, it stops immediately. The packet will not be sent any further. Drawback: The receiver does not receive a message of what is going on, resulting in a time-out (certainly with TCP). Suricata generates an alert for this packet.

This is not happening.

Actions #2

Updated by Andreas Herz about 7 years ago

  • Assignee set to Anonymous
  • Target version set to Support

Did you look into how the rules were added? Most the rules are alert by default and need to be converted to drop instead. If I look into your screenshots it looks like the rules are still just alert rules.

What Action is defined under Services -> Intrusion Detection -> Rules in your OPNSense?

Actions #3

Updated by Dan Collins about 7 years ago

All of my testing was done with IPS Inline mode.
Here is an example of 2 drops from the same packet

Actions #4

Updated by Victor Julien over 6 years ago

  • Priority changed from High to Normal
Actions #5

Updated by Andreas Herz almost 6 years ago

  • Assignee set to Community Ticket
Actions #6

Updated by Andreas Herz over 5 years ago

can you still reproduce that?

Actions #7

Updated by Andreas Herz over 5 years ago

Hi, we're closing this issue since there have been no further responses.
If you think this bug is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs

Actions #8

Updated by Andreas Herz over 5 years ago

  • Status changed from New to Closed
Actions

Also available in: Atom PDF