Project

General

Profile

Actions
Copy link

Task #4773

open

research: IPS behavior wrt resource limits

Added by Victor Julien about 3 years ago. Updated over 1 year ago.

Status:
Assigned
Priority:
Normal
Assignee:
Victor Julien
Target version:
8.0.0-beta1
Effort:
Difficulty:
Label:

Description

When Suricata hits internal resource limits, for example the stream.reassembly.memcap, ACL type rules (drop, reject) will be bypassed as we "fail open" in this case.

As an example, due to the memcap we may fail to add the TLS client hello packet to the stream and not have the SNI available. A drop rule based on the tls.sni would then not get evaluated and the flow will default to being passed along.

Need to investigate in which cases this happens and how it can be addressed.

Subtasks 19 (2 open17 closed)

Feature #5214: ips: allow dropping of flow if stream.memcap is hitClosedVictor JulienActions
Feature #5425: ips: allow dropping of flow if stream.memcap is hit (6.0.x backport)ClosedVictor JulienActions
Feature #5215: ips: allow dropping of flow if stream.reassembly.memcap is hitClosedVictor JulienActions
Feature #5426: ips: allow dropping of flow if stream.reassembly.memcap is hit (6.0.x backport)ClosedVictor JulienActions
Feature #5216: ips: allow dropping of flow if flow.memcap is hitClosedVictor JulienActions
Feature #5427: ips: allow dropping of flow if flow.memcap is hit (6.0.x backport)ClosedVictor JulienActions
Feature #5217: ips: allow dropping of flow if applayer specific memcap is hitAssignedOISF DevActions
Feature #5218: ips: allow dropping of flow if applayer reaches error stateClosedVictor JulienActions
Feature #5428: ips: allow dropping of flow if applayer reaches error state (6.0.x backport)ClosedVictor JulienActions
Feature #5219: ips: add 'master switch' to enable dropping on traffic (handling) exceptionsClosedJuliana Fajardini ReichowActions
Feature #5286: ips: allow dropping of packet/flow when alert queue exceededAssignedJuliana Fajardini ReichowActions
Feature #5468: ips: midstream: add "exception policy" for midstreamClosedJuliana Fajardini ReichowActions
Feature #5500: ips: midstream: add "exception policy" for midstream (6.0.x backport)ClosedJuliana Fajardini ReichowActions
Task #5475: doc: add exception policy documentationClosedJuliana Fajardini ReichowActions
Task #5551: doc: add exception policy documentation (6.0.x)ClosedJuliana Fajardini ReichowActions
Feature #5503: ips: add "reject" action to exception policiesClosedJuliana Fajardini ReichowActions
Feature #5535: ips: add "reject" action to exception policies (6.0.x backport)ClosedJuliana Fajardini ReichowActions
Task #5504: exceptions: error out when invalid configuration value is passedClosedJuliana Fajardini ReichowActions
Task #5525: exceptions: error out when invalid configuration value is passed (6.0.x backport)ClosedJuliana Fajardini ReichowActions

Related issues 2 (1 open1 closed)

Related to Suricata - Feature #5202: eve/drop: include drop "reason"ClosedVictor JulienActions
Related to Suricata - Feature #5194: tracking: options for simulating various exceptionsIn ProgressVictor JulienActions
Actions
Copy link

Also available in: Atom PDF