Bug #6976
Updated by Juliana Fajardini Reichow 3 months ago
Not sure if a bug or if expected, but as seen in SV test @ips-state-1@ (updated here: https://github.com/OISF/suricata-verify/pull/1781),
when we have a @TLS@ flow with a drop rule, Suricata will drop all packets as expected but doesn't set @flow.action@ to drop.
Looking at the stats, I notice that Suricata sees 2 @HTTP@ transactions, but no @TLS@ one. Could somehow be that the @flow.action@ is only set when there is an
associated transaction?
----------------
Current test: https://github.com/OISF/suricata-verify/tree/master/tests/ips-state-1
----------------
Test scenario:
rules:
pass tcp $HOME_NET any -> $EXTERNAL_NET 80 (sid:1;)
drop ip any any -> any any (msg:"DROP ALL"; flow:stateless; sid:2;)
traffic:
pcap contains 3 flows, 2 HTTP, and one TLS.
Flows are passed and dropped as expected, but the TLS one that is dropped doesn't show @flow.action: drop@ in the EVE log.
The passed HTTP flows do show @flow.action: pass@.
---
After more discussion, we reached the conclusion that for a rule like this, we would require that each packet have a flow, and thus it makes sense for
@flow.action@ to be updated.
A second, sort of related task is to update the documentation for @flow:stateless@ and make it less paradoxical-looking. (https://docs.suricata.io/en/latest/rules/flow-keywords.html)