New default exception policies for 7
Suricata 7 will behave more like a firewall, so defaulting to failing closed.
This is due to the exception policies defaulting to drop-flow or drop-packet. Whenever an exceptional condition is met, currently, conditions could be a midstream session pick-up, an application layer protocol error, or a memcap hit.
Some set-ups can be more prone to such blocks, for instance, if your traffic usually shows many midstream sessions.
Read more about all of Suricata’s exception policies: 12.3. Exception Policies — Suricata 7.0.1-dev documentation
Inspecting why traffic is dropped
If your traffic is being blocked, you can enable and inspect drop logs, especially the drop reason. For example, "reason":"stream midstream" in the drop logs indicates that Suricata has picked a midstream session and, due to midstream pick-ups not enabled, the default midstream exception policy is to drop such flows.
A jq one-liner to filter logs and find the drop reason is:
cat eve.json | jq -c 'select(.drop)|.drop.reason'|sort|uniq -c
This could give a result like:
1118 "flow drop"
14 "stream error"
131 "stream midstream"
Fixes and workarounds
Traffic blocked with reason: “stream midstream”
Fix: address midstream issues.
Workaround: set midstream-policy to ignore
Traffic blocked with reason: “applayer error”
Fix: investigate and address application layer proto issues.
Workaround: in the suricata.yaml:
app-layer:
error-policy: ignore
Traffic blocked with reason “memcap”
All exception memcaps will have a reason in the form policy memcap:
- flow memcap
- stream memcap (policies: stream memcap, stream reassembly memcap)
- defrag memcap
It is possible to disable (set to ignore) each of these separately: 12.3. Exception Policies — Suricata 7.0.1-dev documentation
To disable all exception policies:
Nuclear option: --set exception-policy=ignore.
https://docs.suricata.io/en/latest/configuration/exception-policies.html#master-switch