Suricata 7.0.0 unexpected midstream behavior in NFQ mode

Help
,
1

Hi,
I’ve recently tested the official suricata 7.0.0 stable release in NFQ IPS mode, and noticed that if Suricata comes up while a TCP connection is already established (iperf test for example), it drops the flow with reasons “stream midstream” and then “flow drop”.
suricata.yaml documentation states the following:

# midstream: false            # don't allow midstream session pickups
# midstream-policy: ignore    # Can be "drop-flow", "pass-flow", "bypass",
                              # "drop-packet", "pass-packet", "reject" or
                              # "ignore" default is "ignore"

When I explicitly set stream.midstream-policy to ignore, I get the expected behavior (flow is no longer dropped).

This is a change in behavior from suricata 6.x. Given the documentation I think this is a bug.

3

Hi Dean,

Could you run

$ /path/to/your/suricata -c /path/to/your/suricata.yaml <logging, pcap, rule args> -vvv 2>&1 >/tmp/out
$ grep exception-policy /tmp/out

With my 7.0 bits, this is logged Config: exception-policy: stream.midstream-policy: ignore (defined via 'exception-policy' master switch) [ExceptionPolicyGetDefault:util-exception-policy.c:219]

Ru

4

Hi Jeff,
I’m not sure what you mean by <logging, pcap, rule args>.
I just ran it the way I usually do the verbosity flags:
suricata -c /etc/suricata/suricata.yaml -q 999 -vvv 2>&1 >/tmp/out
But I don’t see the config output in /tmp/out (grep returns nothing). TBH it seems like -vvv had no effect.
I tried running with a pcap file -r <pcap file> and also no change.

Here are a few examples of the deny flow when I don’t explicitly set the policy to ignore:

{
    "timestamp": "2023-08-27T05:57:11.762905+0000",
    "flow_id": 2150756213700390,
    "event_type": "drop",
    "src_ip": "10.0.40.6",
    "src_port": 23157,
    "dest_ip": "<reducted1>",
    "dest_port": 443,
    "proto": "TCP",
    "pkt_src": "wire/pcap",
    "direction": "to_server",
    "drop": {
        "len": 1112,
        "tos": 0,
        "ttl": 64,
        "ipid": 64019,
        "tcpseq": 3123774421,
        "tcpack": 1932030041,
        "tcpwin": 501,
        "syn": false,
        "ack": true,
        "psh": true,
        "rst": false,
        "urg": false,
        "fin": false,
        "tcpres": 0,
        "tcpurgp": 0,
        "reason": "stream midstream"
    }
},
{
    "timestamp": "2023-08-27T05:57:24.213124+0000",
    "flow_id": 1196838486818802,
    "event_type": "drop",
    "src_ip": "10.0.40.6",
    "src_port": 33617,
    "dest_ip": "<reducted2>",
    "dest_port": 80,
    "proto": "TCP",
    "pkt_src": "wire/pcap",
    "direction": "to_server",
    "drop": {
        "len": 52,
        "tos": 0,
        "ttl": 64,
        "ipid": 63572,
        "tcpseq": 1002311777,
        "tcpack": 3557248460,
        "tcpwin": 501,
        "syn": false,
        "ack": true,
        "psh": false,
        "rst": false,
        "urg": false,
        "fin": false,
        "tcpres": 0,
        "tcpurgp": 0,
        "reason": "stream midstream"
    }
},
{
    "timestamp": "2023-08-27T05:57:25.829569+0000",
    "flow_id": 1592649310743450,
    "event_type": "drop",
    "src_ip": "10.0.40.6",
    "src_port": 10705,
    "dest_ip": "<reducted3>",
    "dest_port": 443,
    "proto": "TCP",
    "pkt_src": "wire/pcap",
    "direction": "to_server",
    "drop": {
        "len": 71,
        "tos": 0,
        "ttl": 64,
        "ipid": 19855,
        "tcpseq": 1543874525,
        "tcpack": 1926112880,
        "tcpwin": 501,
        "syn": false,
        "ack": true,
        "psh": true,
        "rst": false,
        "urg": false,
        "fin": false,
        "tcpres": 0,
        "tcpurgp": 0,
        "reason": "stream midstream"
    }
},
{
    "timestamp": "2023-08-27T05:57:59.546539+0000",
    "flow_id": 1592649310743450,
    "event_type": "drop",
    "src_ip": "<reducted3>",
    "src_port": 443,
    "dest_ip": "10.0.40.6",
    "dest_port": 10705,
    "proto": "TCP",
    "pkt_src": "wire/pcap",
    "direction": "to_client",
    "drop": {
        "len": 40,
        "tos": 0,
        "ttl": 111,
        "ipid": 10262,
        "tcpseq": 1926112880,
        "tcpack": 1543874525,
        "tcpwin": 0,
        "syn": false,
        "ack": true,
        "psh": false,
        "rst": true,
        "urg": false,
        "fin": false,
        "tcpres": 0,
        "tcpurgp": 0,
        "reason": "flow drop"
    }
},
{
    "timestamp": "2023-08-27T05:58:25.492259+0000",
    "flow_id": 1196838486818802,
    "event_type": "drop",
    "src_ip": "<reducted2>",
    "src_port": 80,
    "dest_ip": "10.0.40.6",
    "dest_port": 33617,
    "proto": "TCP",
    "pkt_src": "wire/pcap",
    "direction": "to_client",
    "drop": {
        "len": 40,
        "tos": 0,
        "ttl": 128,
        "ipid": 41927,
        "tcpseq": 3557248460,
        "tcpack": 1002311778,
        "tcpwin": 0,
        "syn": false,
        "ack": true,
        "psh": false,
        "rst": true,
        "urg": false,
        "fin": false,
        "tcpres": 0,
        "tcpurgp": 0,
        "reason": "flow drop"
    }
}
5

Please also check the suricata log file. This is most often in /var/log/suricata.log but the location may vary depending on the system you’re using.

6

Yea, I’m running suricata in a container, so I’m aware of where my logs are, but I’m getting the exact same output.

7

This is documented here 12.3. Exception Policies — Suricata 8.0.0-dev documentation

8

Ah ha! sneaky :slight_smile:
Thank you for the clarification.