Project

General

Profile

Actions

Task #4773

open

research: IPS behavior wrt resource limits

Added by Victor Julien about 3 years ago. Updated over 1 year ago.

Status:
Assigned
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

When Suricata hits internal resource limits, for example the stream.reassembly.memcap, ACL type rules (drop, reject) will be bypassed as we "fail open" in this case.

As an example, due to the memcap we may fail to add the TLS client hello packet to the stream and not have the SNI available. A drop rule based on the tls.sni would then not get evaluated and the flow will default to being passed along.

Need to investigate in which cases this happens and how it can be addressed.


Subtasks 19 (2 open17 closed)

Feature #5214: ips: allow dropping of flow if stream.memcap is hitClosedVictor JulienActions
Feature #5425: ips: allow dropping of flow if stream.memcap is hit (6.0.x backport)ClosedVictor JulienActions
Feature #5215: ips: allow dropping of flow if stream.reassembly.memcap is hitClosedVictor JulienActions
Feature #5426: ips: allow dropping of flow if stream.reassembly.memcap is hit (6.0.x backport)ClosedVictor JulienActions
Feature #5216: ips: allow dropping of flow if flow.memcap is hitClosedVictor JulienActions
Feature #5427: ips: allow dropping of flow if flow.memcap is hit (6.0.x backport)ClosedVictor JulienActions
Feature #5217: ips: allow dropping of flow if applayer specific memcap is hitAssignedOISF DevActions
Feature #5218: ips: allow dropping of flow if applayer reaches error stateClosedVictor JulienActions
Feature #5428: ips: allow dropping of flow if applayer reaches error state (6.0.x backport)ClosedVictor JulienActions
Feature #5219: ips: add 'master switch' to enable dropping on traffic (handling) exceptionsClosedJuliana Fajardini ReichowActions
Feature #5286: ips: allow dropping of packet/flow when alert queue exceededAssignedJuliana Fajardini ReichowActions
Feature #5468: ips: midstream: add "exception policy" for midstreamClosedJuliana Fajardini ReichowActions
Feature #5500: ips: midstream: add "exception policy" for midstream (6.0.x backport)ClosedJuliana Fajardini ReichowActions
Task #5475: doc: add exception policy documentationClosedJuliana Fajardini ReichowActions
Task #5551: doc: add exception policy documentation (6.0.x)ClosedJuliana Fajardini ReichowActions
Feature #5503: ips: add "reject" action to exception policiesClosedJuliana Fajardini ReichowActions
Feature #5535: ips: add "reject" action to exception policies (6.0.x backport)ClosedJuliana Fajardini ReichowActions
Task #5504: exceptions: error out when invalid configuration value is passedClosedJuliana Fajardini ReichowActions
Task #5525: exceptions: error out when invalid configuration value is passed (6.0.x backport)ClosedJuliana Fajardini ReichowActions

Related issues 2 (1 open1 closed)

Related to Suricata - Feature #5202: eve/drop: include drop "reason"ClosedVictor JulienActions
Related to Suricata - Feature #5194: tracking: options for simulating various exceptionsIn ProgressVictor JulienActions
Actions #1

Updated by Victor Julien about 3 years ago

  • Description updated (diff)
Actions #2

Updated by Victor Julien over 2 years ago

  • Related to Feature #5202: eve/drop: include drop "reason" added
Actions #3

Updated by Victor Julien over 2 years ago

  • Related to Feature #5194: tracking: options for simulating various exceptions added
Actions #4

Updated by Victor Julien over 2 years ago

  • Subtask #5468 added
Actions #5

Updated by Victor Julien over 2 years ago

  • Subtask #5475 added
Actions #6

Updated by Victor Julien about 2 years ago

  • Subtask #5503 added
Actions #7

Updated by Juliana Fajardini Reichow about 2 years ago

  • Subtask #5504 added
Actions #8

Updated by Victor Julien almost 2 years ago

  • Status changed from New to Assigned
  • Assignee set to Victor Julien
  • Target version set to 8.0.0-beta1
Actions

Also available in: Atom PDF