My traffic gets blocked after upgrading to Suricata 7

New default exception policies for 7

Suricata 7 will behave more like a firewall, so defaulting to failing closed.
This is due to the exception policies defaulting to drop-flow or drop-packet. Whenever an exceptional condition is met, currently, conditions could be a midstream session pick-up, an application layer protocol error, or a memcap hit.

Some set-ups can be more prone to such blocks, for instance, if your traffic usually shows many midstream sessions.

Read more about all of Suricata’s exception policies: 12.3. Exception Policies — Suricata 7.0.1-dev documentation

Inspecting why traffic is dropped

If your traffic is being blocked, you can enable and inspect drop logs, especially the drop reason. For example, "reason":"stream midstream" in the drop logs indicates that Suricata has picked a midstream session and, due to midstream pick-ups not enabled, the default midstream exception policy is to drop such flows.

A jq one-liner to filter logs and find the drop reason is:

cat eve.json | jq -c 'select(.drop)|.drop.reason'|sort|uniq -c

This could give a result like:

   1118 "flow drop" 
     14 "stream error" 
    131 "stream midstream" 

Fixes and workarounds

Traffic blocked with reason: “stream midstream”

Fix: address midstream issues.
Workaround: set midstream-policy to ignore

Traffic blocked with reason: “applayer error”

Fix: investigate and address application layer proto issues.
Workaround: in the suricata.yaml:

  error-policy: ignore

Traffic blocked with reason “memcap”

All exception memcaps will have a reason in the form policy memcap:

  • flow memcap
  • stream memcap (policies: stream memcap, stream reassembly memcap)
  • defrag memcap

It is possible to disable (set to ignore) each of these separately: 12.3. Exception Policies — Suricata 7.0.1-dev documentation

To disable all exception policies:

Nuclear option: --set exception-policy=ignore.

Further reading

Exception policies default behavior for Suricata 7

Exception policies and midstream session scenarios