Blocking traffic after upgrade

Hello,
I’m currently using opnsense and upgraded with 23.7 to suricata 7.0.

However after launching suricata all traffic is getting blocked except ICMP.

I can see my eve.json being spammed with the following matching my internal addesses:
{"timestamp":"2023-07-23T00:47:17.579664+0200","flow_id":1645215458582628,"in_iface":"igb0","event_type":"drop","src_ip":"216.xx.xx.xx","src_port":443,"dest_ip":"192.xx.xx.xx","dest_port":9817,"proto":"TCP","pk t_src":"wire/pcap","direction":"to_server","drop":{"len":60,"tos":128,"ttl":124,"ipid":0,"tcpseq":3264133184,"tcpack":555486239,"tcpwin":65535,"syn":true,"ack":true,"psh":false,"rst":false,"urg":false,"fin":false, "tcpres":0,"tcpurgp":0,"reason":"stream midstream"}}

I checked if midstream checking is enabled, but it isnt.

I’m using ET-Open and Snort 2.9.20 ruleset.

Any suggestions or ideas how to track or solve this?

Thanks

Hello there,

This looks to be due to the new fail close behavior for exception policies, in Suricata 7. The drop.reason: stream midstream indicates that Suri is seen midstream sessions, but these are not enabled, and therefore such flows are being dropped.

A workaround would be to set stream.midstream-policy: ignore in your yaml file.

We’ve created a FAQ to help clarify and navigate such situations: My traffic gets blocked after upgrading to Suricata 7

Please let us know if this solves your issue!

This solves my issue.

The FAQ would be great addition to here: 4. Upgrading — Suricata 7.0.1-dev documentation

Thank you so much!

Glad to know the issue is fixed!

We will improve our Exception policies documentation, for sure. Thanks for the feedback!