Project

General

Profile

Actions
Copy link

Task #5510

closed

stream (midstream): investigate - Suri drops flow but still logs second packet of the flow

Added by Juliana Fajardini Reichow about 2 years ago. Updated about 2 months ago.

Status:
Closed
Priority:
Normal
Assignee:
OISF Dev
Target version:
-
Effort:
Difficulty:
Label:

Description

In IPS mode with stream.midstream=true, if we have a flow that is first seen
in ACK state by Suri and matches against a drop rule, Suri correctly drops the
flow, but still logs an applayer event for the second packet.

Investigated and was able to reproduce this with HTTP and SMB protos. Will add
an SV test to demonstrate.

I noticed this while working on an exception policy for midstream (#5468),
and was able to reproduce on a clean master branch as well.

Related issues 1 (0 open1 closed)

Related to Suricata - Bug #5802: ips: txs still logged for dropped flowClosedVictor JulienActions
Actions
Copy link
 #2

Updated by Juliana Fajardini Reichow almost 2 years ago

  • Target version changed from TBD to 8.0.0-beta1
Actions
Copy link
 #3

Updated by Juliana Fajardini Reichow almost 2 years ago

  • Related to Bug #5802: ips: txs still logged for dropped flow added
Actions
Copy link
 #4

Updated by Victor Julien 4 months ago

  • Assignee changed from Juliana Fajardini Reichow to OISF Dev
Actions
Copy link
 #5

Updated by Juliana Fajardini Reichow about 2 months ago

  • Status changed from New to Closed
  • Target version deleted (8.0.0-beta1)

Fixed by: https://github.com/OISF/suricata/pull/8949 (#5802)

Removed target version as this was fixed by another ticket for 7.0.0-rc2

Actions
Copy link

Also available in: Atom PDF