Hi @vjulien ,
With 6.0.6 released, I saw that you made a change to address #5403 which now silently drops the subsequent packets from a dropped flow (for stateless protocols, e.g. UDP).
This seems reasonable initially, but after testing, it changes the original behaviour for some of our use cases. One issue we hit is that, we have rules that block DNS requests and log the alerts. Since each DNS request is somewhat stateless, it makes more sense that each request is inspected and alerted separately. However with the said change, since suricata sees these requests belong to a single flow (based on the IP tuples), as soon as the client is blocked for a single request, it is no longer able to resolve anything subsequently whether or not the new request is allowed or blocked in the rules, unless the client starts a new flow uses a different source port.
Since we have no control of the client’s behaviour, we’re stuck. Also, we think it is reasonable that the client uses the same port for stateless DNS queries.
For things to work properly, I’m thinking there are a couple of options.
- Add a new action type. Instead of reject/drop that applies to the entire flow, a new action to be introduced to act just for that packet.
- Add a simple boolean configuration to disable this change.
- Add a configuration that specifies a list of app protocols to exempt from this change.
Thanks a lot,