Some RDP traffic dropped with no rules set to 'drop'

Suricata 7.0.10 in IPS mode
Installed via apt package
Ubuntu Server 24.04

Hi everyone,
My suricata appears to drop some RDP traffic, although none of the rules are set to ‘drop’.
In the eve.json I get lines such as follows with the corresponding IPs of affected IPs:

{“timestamp”:“2025-04-15T16:23:53.520495+0000”,“flow_id”:1225914623322712,“in_iface”:“enp4s0”,“event_type”:“flow”,“vlan”:[150],“src_ip”:“[redacted-source-IP]”,“src_port”:28748,“dest_ip”:“[redacted-dest-ip]”,“dest_port”:3389,“proto”:“TCP”,“app_proto”:“rdp”,“flow”:{“pkts_toserver”:11,“pkts_toclient”:10,“bytes_toserver”:3809,“bytes_toclient”:9808,“start”:“2025-04-15T16:13:32.154358+0000”,“end”:“2025-04-15T16:13:51.400560+0000”,“age”:19,“state”:“established”,“reason”:“timeout”,“alerted”:false,“action”:“drop”},“metadata”:{“flowbits”:[“ms.rdp.established”]},“community_id”:“1:il10QbP02ZHL+d2Cogs5tVKLHVM=”,“tcp”:{“tcp_flags”:“1e”,“tcp_flags_ts”:“1e”,“tcp_flags_tc”:“1e”,“syn”:true,“rst”:true,“psh”:true,“ack”:true,“state”:“established”,“ts_max_regions”:1,“tc_max_regions”:1}}

As I mentioned, no rules are set to ‘drop’, and I get no alerts for this, but some RDP connections simply time out. Once I remove Suricata from the network the same RDP connections work flawlessly.

Any pointers will be greatly appreciated!

I was able to resolve the issue myself by setting ‘exception-policy’ to bypass.

Good catch!

for suricata 7.0.11 or 7.0.12 we should have an option to log the exception policy triggered in the flow event, this would make troubleshooting situations like yours easier. Sorry it wasn’t there yet!

That sounds like a terrific idea! Thanks for following up.