Please include the following information with your help request:
- Suricata version
- Operating system and/or Linux distribution
- How you installed Suricata (from source, packages, something else)
- user trying curl -v -k -I https://1.1.1.1 and below are the scenarios that have different outcomes
- curl stuck at client hello meaning drop rule kicked in using below rules
pass tcp $HOME_NET any <> $EXTERNAL_NET $HTTPS_PORTS (flow:not_established; sid: 11111; rev:2;)
drop tcp $HOME_NET any <> [!10.0.0.0/16] $HTTPS_PORTS (sid: 44444; rev:2;)
- User able to visit https://1.1.1.1 using below rules
pass tcp $HOME_NET any <> $EXTERNAL_NET $HTTPS_PORTS (flow:not_established; sid: 11111; rev:2;)
drop tcp $HOME_NET any <> [1.1.1.0/8] $HTTPS_PORTS (sid: 44444; rev:2;)
- User able to visit https://1.1.1.1 using below rules
pass tcp $HOME_NET any <> $EXTERNAL_NET $HTTPS_PORTS (flow:not_established; sid: 11111; rev:2;)
drop tcp $HOME_NET any <> $EXTERNAL_NET $HTTPS_PORTS (sid: 44444; rev:2;)
- Now if I add flow:established keyword in drop rule blocks the https traffic.
- My question is why the first scenario worked even if we don’t specify the flow keyword?