Project

General

Profile

Actions

Bug #5867

closed

false-positive drop event_types possible on passed packets

Added by Alex Kulikov almost 2 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

If both 'pass' and 'dop' rules apply to the same packet/flow, the packet is passed, but the drop log may contain an entry about the packet being dropped.
Example rules:
pass tcp 172.17.1.0/24 any → any 225 (msg:“PASS LOCAL NET Port 225::no flags::flow to_server::no thresholds”; flow:to_server; classtype:misc-activity; sid:1000100; rev:1; metadata:created_at 2023_02_07, updated_at 2023_02_07;)

and

drop tcp 172.17.1.0/24 any → any 225 (msg:“DROP LOCAL NET Port 225::no flags::flow established to_server::no thresholds”; flow:to_server,established; classtype:misc-activity; sid:1000101; rev:1; metadata:created_at 2023_02_07, updated_at 2023_02_07;)

session on port 225 will work, but the eve-log (with drop log enabled) will show messages like: {“timestamp”:“2023-02-15T18:49:10.169185+0000”,“flow_id”:662827960784155,“in_iface”:“hn0”,“event_type”:“drop”,“src_ip”:“172.17.1.80”,“src_port”:1709,“dest_ip”:“172.17.1.105”,“dest_port”:225,“proto”:“TCP”,“drop”:{“len”:40,“tos”:0,“ttl”:127,“ipid”:27476,“tcpseq”:1500042227,“tcpack”:1787298342,“tcpwin”:65252,“syn”:false,“ack”:true,“psh”:false,“rst”:false,“urg”:false,“fin”:false,“tcpres”:0,“tcpurgp”:0},“alert”:{“action”:“blocked”,“gid”:1,“signature_id”:1000101,“rev”:1,“signature”:“DROP LOCAL NET Port 225::no flags::flow established to_server::no thresholds”,“category”:“Misc activity”,“severity”:3}}

without 'alert' event_type messages

seems to have originated somewhere between 6.0.5 and 6.0.9
ref. https://forum.suricata.io/t/drop-log-false-positive-records-possible-since-6-0-6/3228

Thanks!


Subtasks 1 (0 open1 closed)

Bug #5888: false-positive drop event_types possible on passed packets (6.0.x backport)ClosedVictor JulienActions
Actions

Also available in: Atom PDF