Actions
Task #4773
openresearch: IPS behavior wrt resource limits
Effort:
Difficulty:
Label:
Description
When Suricata hits internal resource limits, for example the stream.reassembly.memcap
, ACL type rules (drop
, reject
) will be bypassed as we "fail open" in this case.
As an example, due to the memcap we may fail to add the TLS client hello packet to the stream and not have the SNI available. A drop rule based on the tls.sni
would then not get evaluated and the flow will default to being passed along.
Need to investigate in which cases this happens and how it can be addressed.
Updated by Victor Julien almost 3 years ago
- Related to Feature #5202: eve/drop: include drop "reason" added
Updated by Victor Julien almost 3 years ago
- Related to Feature #5194: tracking: options for simulating various exceptions added
Updated by Victor Julien about 2 years ago
- Status changed from New to Assigned
- Assignee set to Victor Julien
- Target version set to 8.0.0-beta1
Actions