Suricata 7 will behave more like a firewall, so defaulting to failing closed.
This is due to the exception policies defaulting to
drop-packet. Whenever an exceptional condition is met, currently, conditions could be a midstream session pick-up, an application layer protocol error, or a memcap hit.
Some set-ups can be more prone to such blocks, for instance, if your traffic usually shows many midstream sessions.
Read more about all of Suricata’s exception policies: 12.3. Exception Policies — Suricata 7.0.1-dev documentation
If your traffic is being blocked, you can enable and inspect drop logs, especially the drop reason. For example,
"reason":"stream midstream" in the drop logs indicates that Suricata has picked a midstream session and, due to midstream pick-ups not enabled, the default midstream exception policy is to drop such flows.
jq one-liner to filter logs and find the drop reason is:
cat eve.json | jq -c 'select(.drop)|.drop.reason'|sort|uniq -c
This could give a result like:
1118 "flow drop" 14 "stream error" 131 "stream midstream"
Fix: address midstream issues.
Workaround: set midstream-policy to ignore
Fix: investigate and address application layer proto issues.
Workaround: in the suricata.yaml:
app-layer: error-policy: ignore
All exception memcaps will have a reason in the form policy memcap:
- flow memcap
- stream memcap (policies: stream memcap, stream reassembly memcap)
- defrag memcap
It is possible to disable (set to
ignore) each of these separately: 12.3. Exception Policies — Suricata 7.0.1-dev documentation