Suricata 7 dropping ssh sessions

Help
1

Hi,

I’ve searched the forum to no avail so hopefully I can get some advice here. I have upgraded a
testsystem to Suricata 7 and when I restart the Suricata service my ssh session/s are dropped(snippet from log below). I don’t have this issue with Suricata 6 so trying to find what’s changed in Suricata 7 that would explain this behavior. I’m new to Suricata so I did review docs but nothing stood out as the root cause. Appreciate the feedback.

Jul 11 11:31:55 pat-test1-01 systemd-logind[731]: Session c7127 logged out. Waiting for processes to exit.
Jul 11 11:31:55 pat-test1-01 systemd-logind[731]: Removed session c7127.

Install details:
Suricata version: 7.0.5
Linux distribution: AlmaLinux 8.7
How you installed Suricata: RPM

2

Without more details it’s hard to help. What runmode do you use, I assume IPS?
What does the config suricata.yaml look like and how do you run it?
Suricata 7 introduced exception policy, see 4. Upgrading — Suricata 8.0.0-dev documentation

3

We do run it in IPS mode and our suricata.yaml is pretty stock, I’ll add anyway.
suricata.yaml (83.8 KB)

We do build a custom rpm, we patch the suricata.yaml file, so I’ll add the build info also.

suricata7-build-info.log (4.3 KB)

4

What is your exact run command?

I assume you run NFQUEUE IPS mode? In that case also provide the config you use for the netfilter part.

Also post the suricata.log

5

I can’t share the entire config but let me parse the bits I can.

6

@Andreas_Herz

Here’s what I can share. Also, including what my suricata option are set to: OPTIONS="-q 0 -q 1 -q 2 -q 3

######## Suricata IPS
-A SIPS -i lo -j ACCEPT
-A SIPS -o lo -j ACCEPT
-A SIPS -j NFQUEUE --queue-balance 0:3 --queue-bypass

-A OUTPUT -o lo -j SIPS
-A OUTPUT -m conntrack --ctstate INVALID -j DROP
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j SIPS
-A OUTPUT -m conntrack --ctstate NEW -j OUT
-A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
-A OUTPUT -j REJECT

-A INPUT -i lo -j SIPS
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j SIPS
-A INPUT -m conntrack --ctstate NEW -j IN
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT

-A FORWARD -p tcp -j REJECT --reject-with tcp-reset
-A FORWARD -j REJECT

7

Since you have queue-bypass enabled, I don’t think it’s restart related but you could check this post regarding the exception policies My traffic gets blocked after upgrading to Suricata 7

1 Like
8

What are the corresponding log entries in “fast.log?”

9

No entries in “fast.log”

10

I’ll take a look, thank you.

11

This would imply Suricata is not dropping the packets.

Another possibility is that modifying the firewall causes the firewall to restart, clearing previous configuration(s).

12

I consider this resolved as I realized from this that the default behavior is to ignore exception policies in 6x and in 7x the default for most of the exception policies is to fail close.