Drop log false positive records possible since 6.0.6?

Fright · February 15, 2023, 8:45am

Hi!
we have two opnsense instances with Suricata in IPS mode on both. one with 6.0.5 and one with 6.0.9.
both have eve-log drop alerts enabled with:

drop:
alerts: yes # log alerts that caused drops
flows: start

both instances have two test rules like:
pass tcp 172.17.1.0/24 any → any 225 (msg:“PASS LOCAL NET Port 225::no flags::flow to_server::no thresholds”; flow:to_server; classtype:misc-activity; sid:1000100; rev:1; metadata:created_at 2023_02_07, updated_at 2023_02_07;)
and
drop tcp 172.17.1.0/24 any → any 225 (msg:“DROP LOCAL NET Port 225::A12flags::flow established: to_server::no thresholds”; flow:to_server,established; flags: A,12; classtype:misc-activity; sid:1000103; rev:1; metadata:created_at 2023_02_07, updated_at 2023_02_07;)

both instances have test smtp server listening on tcp 225
smtp session works on both instances. but…on 6.0.9 it produces “drop” event_type records in eve-log for sid:1000103.

can it be related to Optimization #5127: alerts: use alert queing in DetectEngineThreadCtx (6.0.x backport) - Suricata - Open Information Security Foundation (and setting drop action in AlertQueueAppend())?
thanks!

jufajardini · February 15, 2023, 5:52pm

Hey there!

I’m trying to better visualize this. Would it be possible for you to share logs and/or a pcap where you observe this happening?

I’m not sure if it could be related, but we did find this bug: Bug #5806: exceptions: midstream flows are dropped if midstream=true && stream.midstream-policy=drop-flow (6.0.x backport) - Suricata - Open Information Security Foundation that led to unexpected drops in case of packets detected as midstream (and this was only fixed in 6.0.10). Do you have the exception policy for midstream set to drop-flow or drop-packet?

If we do confirm this is a bug, we’ll ask you to report it on: Issues - Suricata - Open Information Security Foundation

Thanks in advance for any info you can add

jufajardini · February 15, 2023, 6:34pm

To complement my answer: I wouldn’t expect the issue to be in setting the drop action in the AlertQueueAppend() function, because that’s called after Suri has decided the signature alerted, already…

Fright · February 15, 2023, 7:10pm

Hi!
Thanks for the quick response!
packets not actually dropped - just reported as dropped in drop log.
To make the example more clear, I changed the drop rule. so now the rules look like this:

pass tcp 172.17.1.0/24 any → any 225 (msg:“PASS LOCAL NET Port 225::no flags::flow to_server::no thresholds”; flow:to_server; classtype:misc-activity; sid:1000100; rev:1; metadata:created_at 2023_02_07, updated_at 2023_02_07;)

and

drop tcp 172.17.1.0/24 any → any 225 (msg:“DROP LOCAL NET Port 225::no flags::flow established to_server::no thresholds”; flow:to_server,established; classtype:misc-activity; sid:1000101; rev:1; metadata:created_at 2023_02_07, updated_at 2023_02_07;)

drop_only.zip (2.2 KB)
pass_and_drop.zip (16.3 KB)
I attach two pcap files: the first for the case when only the drop rule is enabled (no complaints here. The smtp session hangs after receiving the server header. all as expected), the second - when both rules are enabled (the smtp session runs without problems, but messages about packet drops appear in the log)

messages in eve-log looks like:
{“timestamp”:“2023-02-15T18:49:10.169185+0000”,“flow_id”:662827960784155,“in_iface”:“hn0”,“event_type”:“drop”,“src_ip”:“172.17.1.80”,“src_port”:1709,“dest_ip”:“172.17.1.105”,“dest_port”:225,“proto”:“TCP”,“drop”:{“len”:40,“tos”:0,“ttl”:127,“ipid”:27476,“tcpseq”:1500042227,“tcpack”:1787298342,“tcpwin”:65252,“syn”:false,“ack”:true,“psh”:false,“rst”:false,“urg”:false,“fin”:false,“tcpres”:0,“tcpurgp”:0},“alert”:{“action”:“blocked”,“gid”:1,“signature_id”:1000101,“rev”:1,“signature”:“DROP LOCAL NET Port 225::no flags::flow established to_server::no thresholds”,“category”:“Misc activity”,“severity”:3}}.

opnsense does not set exception policy afaik: https://github.com/opnsense/core/blob/master/src/opnsense/service/templates/OPNsense/IDS/suricata.yaml

sorry, just trying to understand how this condition can be met (if I understand correctly the reason for the entry in the log)

github.com

OISF/suricata/blob/d0b1a04eb09ebe43ca841768db81933f99a78928/src/output-json-drop.c#L372


      
          
                  /* for a flow that will be dropped fully, log just once per direction */
                  if (p->flow->flags & FLOW_ACTION_DROP) {
                      if (PKT_IS_TOSERVER(p) && !(p->flow->flags & FLOW_TOSERVER_DROP_LOGGED))
                          ret = TRUE;
                      else if (PKT_IS_TOCLIENT(p) && !(p->flow->flags & FLOW_TOCLIENT_DROP_LOGGED))
                          ret = TRUE;
                  }
          
                  /* if drop is caused by signature, log anyway */
                  if (p->alerts.drop.action != 0)
                      ret = TRUE;
          
                  return ret;
              } else if (PACKET_TEST_ACTION(p, ACTION_DROP)) {
                  return TRUE;
              }
          
              return FALSE;
          }

Thanks again!

jufajardini · February 15, 2023, 7:50pm

Hi again,

Thanks for more input. I’m sorry, I didn’t consider in my answer the possibility that the same packet would be triggering both rules.

This reminds me a bit of Bug #5458: Reject action is no longer working - Suricata - Open Information Security Foundation, but that was fixed in 6.0.7. I’ll investigate this furhter. Could you please create a bug report?

Fright · February 16, 2023, 7:43am

sure, thanks!

Fright · March 28, 2023, 5:05pm

Thanks a lot for your help!
for the ref. issue is fixed by https://github.com/OISF/suricata/commit/517132b6ad0347c8402b3aace885d1b734609fec

Topic		Replies	Views
Threshold vs detection_filter Help	0	755	November 28, 2020
Alert for every drop/alert Help	0	43	April 11, 2024
Understanding packets and log records Rules suricata	0	317	January 3, 2023
Not alerts are triggered in suricata V 6.0.13	7	292	August 28, 2023
Suricata 6.0.0 not logging the same alert as 4.1.4 Help	5	476	May 26, 2021

Drop log false positive records possible since 6.0.6?

Related Topics