Injection interface not block traffic

Help
1

This is Suricata version 6.0.10 RELEASE
Debian 12.8
mellanox connect x4 10G
We are using a juniper mx series router and we are mirroring the traffic to the ens8f0np0 port. I am sending the reject traffic to the ens8f1np1 port. When I check with tcpdump, I see the reject traffic but there is no blocking. I couldn’t find where I went wrong.

06:00:30.913999 IP x.x.x.x.57263 > eb-in-f155.1e100.net.https: Flags [R.], seq 2796762195, ack 1706117954, win 1046, length 0

reject tcp any any -> any 80 (msg:"Trigger SYN packet"; sid:1000001; rev:1;)
reject tls any any -> any any (msg:"Trigger SYN packet"; sid:1000002; rev:1;)

suricata -c /etc/suricata/suricata.yaml --af-packet --reject-dev ens8f1np1

%YAML 1.1
---

detect-engine:
   mode: inline
af-packet:
  - interface: ens8f0np0
    threads: 32
    cluster-id: 99
    cluster-type: cluster_flow
    defrag: yes

 - interface: ens8f1np1               # Injection portu
    injection: yes
    threads: 64
    checksum-checks: no
app-layer:
  protocols:
    http:
      enabled: yes
    tls:
      enabled: yes
      detection-ports:
        dp: 443
      ja3: yes
      ja3-fingerprints: yes
      ja3s: yes
    dns:
      enabled: yes
    ftp:
      enabled: yes
    smb:
      enabled: yes
    ssh:
      enabled: yes
    smtp:
      enabled: yes
    dcerpc:
      enabled: yes
    modbus:
      enabled: yes
    enip:
      enabled: yes
    dnp3:
      enabled: yes
    nfs:
      enabled: yes
    ntp:
      enabled: yes
    tftp:
      enabled: yes
    ikev2:
      enabled: yes
    krb5:
      enabled: yes
    dhcp:
      enabled: yes
    snmp:
      enabled: yes
    sip:
      enabled: yes
    rfb:
      enabled: yes
    mqtt:
      enabled: yes
    rdp:
      enabled: yes
    http2:
      enabled: yes
    imap:
      enabled: yes

stream:
  memcap: 512mb

default-rule-path: /etc/suricata/rules

rule-files:
  - suricata.rules


stats:
  enabled: yes
  interval: 8
outputs:
  - stats:
      enabled: yes
      filename: /var/log/suricata/stats.log
  - eve-log:
      enabled: yes
      filetype: regular  # json format
      filename: /var/log/suricata/eve.json
      types:
        - alert:
            payload: yes           # Logs the payload of triggered packets
            payload-printable: yes  # Logs only printable characters in payload
            packet: yes             # Includes packet information
            http: yes               # Logs HTTP alert details
            tls: yes                # Logs TLS connection details
            ja3: yes
  - fast:
      enabled: yes
      filename: /var/log/suricata/fast.log


logging:
  default-log-level: debug
  outputs:
    - console:
        enabled: yes```
2

Reject / TCP reset injection is fundamentally unreliable, as the RST packet(s) race the original packets to the destination. So if they are late, the connection can already be done, etc.

Also, there is no guarantee that the RST even makes it to the target, or is accepted by the target.

For reliable dropping/blocking, use the IPS mode.

Btw version 6 is EOL, so please upgrade to 7.0.7. There have also been some fixes in 7 that are possibly relevant.