Suricata 7 drops my flows - reason: applayer error

I have read this already: My traffic gets blocked after upgrading to Suricata 7

But it doesn’t help: “error-policy: ignore” is set, nevertheless suricata drops my flows with reason “applayer error”

The applayer error is:
[1:2210044:2] SURICATA STREAM Packet with invalid timestamp

This is a false positive, I have checked the timestamps, they are fine. Only the flow might be heavily out of sequence due to fragmentation and traffic-shaping.

I can disable that 1:2210044, but that doesn’t help. The error is then no longer reported, but nevertheless suricata drops the flow with reason: applayer error.

What finally did help was this:

@@ -908,7 +908,7 @@
       #
       # For best performance, select 'bypass'.
       #
-      #encryption-handling: default
+      encryption-handling: bypass
 
     pgsql:
       enabled: no

Hi,

How are your other exception policies configured - including the master switch?

Is stream.midstream enabled? - I’m guessing you do, as you are seeing app-layer errors, but want to be sure of the situation.

Could you provide a pcap showcasing this scenario, or at least a portion of the log that shows this?

I’m trying to understand if there’s a bug, or if maybe another exception policy or drop is leading to this application error situation in a corner-case scenario…

Okay, I fear I get uttlerly no idea what You are talking about. This feels very lost…
What is an exception policy? What is a master switch? What is a pcap?

What I might tell you is the diff from the distribited suricata.conf.sample to the installed one, or the tcpdump of the session - that is what I physically can tackle.

stream.midstream enabled? Honestly I don’t know. I find these in the config:

stream:
  memcap: 64mb
  #memcap-policy: ignore
  checksum-validation: yes      # reject incorrect csums
  #midstream: false
  #midstream-policy: ignore
  drop-invalid: no
  inline: auto                  # auto will use inline mode in IPS mode, yes or 

I tried to change these; that makes no difference. Times ago I added the drop-invalid: no, but I don’t remember what difference it made, if any at all.

Concerning that “midstream”: I was seeing flow drops with reason “stream midstream”, but only when restarting the process while testing. The above options have apparently no influence on that behaviour, but the system it is not supposed to be restarted ever in regular operation, so I didn’t bother further.

The story is actually very simple: I try to query duckduckgo.com, it downloads 28kB and then the flow gets dropped. duckduckgo.com uses HTTP/2, and with HTTP/2 when the flow drops things just don’t work. (It’s no problem with HTTP/1.1.)

That’s how it looks, right from freshly booted:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun6, link-type NULL (BSD loopback), capture size 262144 bytes
03:33:23.569229 IP 192.168.97.18.14493 > 40.114.177.156.443: Flags [S], seq 477846123, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 4039248345 ecr 0], length 0
03:33:23.874300 IP 192.168.97.18.43498 > 40.114.177.156.443: Flags [S], seq 1654865102, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 1108161900 ecr 0], length 0
03:33:23.933883 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [S.], seq 583229139, ack 477846124, win 43440, options [mss 1440,sackOK,TS val 1986530826 ecr 4039248345,nop,wscale 7], length 0
03:33:23.934374 IP 192.168.97.18.14493 > 40.114.177.156.443: Flags [.], ack 1, win 1035, options [nop,nop,TS val 4039248710 ecr 1986530826], length 0
03:33:23.937276 IP 192.168.97.18.14493 > 40.114.177.156.443: Flags [P.], seq 1:518, ack 1, win 1035, options [nop,nop,TS val 4039248710 ecr 1986530826], length 517
03:33:24.238882 IP 40.114.177.156.443 > 192.168.97.18.43498: Flags [S.], seq 303953379, ack 1654865103, win 43440, options [mss 1440,sackOK,TS val 3429813016 ecr 1108161900,nop,wscale 7], length 0
03:33:24.239282 IP 192.168.97.18.43498 > 40.114.177.156.443: Flags [.], ack 1, win 1035, options [nop,nop,TS val 1108162265 ecr 3429813016], length 0
03:33:24.242971 IP 192.168.97.18.43498 > 40.114.177.156.443: Flags [P.], seq 1:518, ack 1, win 1035, options [nop,nop,TS val 1108162265 ecr 3429813016], length 517
03:33:24.304892 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [.], ack 518, win 336, options [nop,nop,TS val 1986531197 ecr 4039248710], length 0
03:33:24.307119 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [.], seq 1:1425, ack 518, win 336, options [nop,nop,TS val 1986531198 ecr 4039248710], length 1424
03:33:24.307364 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [P.], seq 2849:4057, ack 518, win 336, options [nop,nop,TS val 1986531198 ecr 4039248710], length 1208
03:33:24.307659 IP 192.168.97.18.14493 > 40.114.177.156.443: Flags [.], ack 1425, win 1015, options [nop,nop,TS val 4039249080 ecr 1986531198,nop,nop,sack 1 {2849:4057}], length 0
03:33:24.308115 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [P.], seq 1425:2849, ack 518, win 336, options [nop,nop,TS val 1986531198 ecr 4039248710], length 1424
03:33:24.308380 IP 192.168.97.18.14493 > 40.114.177.156.443: Flags [.], ack 4057, win 994, options [nop,nop,TS val 4039249080 ecr 1986531198], length 0
03:33:24.313839 IP 192.168.97.18.14493 > 40.114.177.156.443: Flags [P.], seq 518:598, ack 4057, win 1035, options [nop,nop,TS val 4039249085 ecr 1986531198], length 80
03:33:24.314366 IP 192.168.97.18.14493 > 40.114.177.156.443: Flags [P.], seq 598:768, ack 4057, win 1035, options [nop,nop,TS val 4039249090 ecr 1986531198], length 170
03:33:24.314464 IP 192.168.97.18.14493 > 40.114.177.156.443: Flags [P.], seq 768:1146, ack 4057, win 1035, options [nop,nop,TS val 4039249090 ecr 1986531198], length 378
03:33:24.609903 IP 40.114.177.156.443 > 192.168.97.18.43498: Flags [.], ack 518, win 336, options [nop,nop,TS val 3429813387 ecr 1108162265], length 0
03:33:24.611431 IP 40.114.177.156.443 > 192.168.97.18.43498: Flags [.], seq 1:1425, ack 518, win 336, options [nop,nop,TS val 3429813388 ecr 1108162265], length 1424
03:33:24.611616 IP 40.114.177.156.443 > 192.168.97.18.43498: Flags [P.], seq 2849:4057, ack 518, win 336, options [nop,nop,TS val 3429813388 ecr 1108162265], length 1208
03:33:24.612021 IP 192.168.97.18.43498 > 40.114.177.156.443: Flags [.], ack 1425, win 1013, options [nop,nop,TS val 1108162636 ecr 3429813388,nop,nop,sack 1 {2849:4057}], length 0
03:33:24.612332 IP 40.114.177.156.443 > 192.168.97.18.43498: Flags [P.], seq 1425:2849, ack 518, win 336, options [nop,nop,TS val 3429813388 ecr 1108162265], length 1424
03:33:24.612625 IP 192.168.97.18.43498 > 40.114.177.156.443: Flags [.], ack 4057, win 994, options [nop,nop,TS val 1108162636 ecr 3429813388], length 0
03:33:24.617740 IP 192.168.97.18.43498 > 40.114.177.156.443: Flags [P.], seq 518:598, ack 4057, win 1035, options [nop,nop,TS val 1108162640 ecr 3429813388], length 80
03:33:24.618136 IP 192.168.97.18.43498 > 40.114.177.156.443: Flags [P.], seq 598:785, ack 4057, win 1035, options [nop,nop,TS val 1108162640 ecr 3429813388], length 187
03:33:24.678030 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [.], ack 598, win 336, options [nop,nop,TS val 1986531570 ecr 4039249085], length 0
03:33:24.678262 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [P.], seq 4057:4344, ack 598, win 336, options [nop,nop,TS val 1986531570 ecr 4039249085], length 287
03:33:24.678513 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [P.], seq 4344:4631, ack 598, win 336, options [nop,nop,TS val 1986531570 ecr 4039249085], length 287
03:33:24.678655 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [P.], seq 4631:4693, ack 598, win 336, options [nop,nop,TS val 1986531570 ecr 4039249085], length 62
03:33:24.678997 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [.], ack 768, win 335, options [nop,nop,TS val 1986531571 ecr 4039249090], length 0
03:33:24.679108 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [P.], seq 4693:4724, ack 768, win 335, options [nop,nop,TS val 1986531571 ecr 4039249090], length 31
03:33:24.679162 IP 192.168.97.18.14493 > 40.114.177.156.443: Flags [.], ack 4631, win 1031, options [nop,nop,TS val 4039249451 ecr 1986531570], length 0
03:33:24.679267 IP 192.168.97.18.14493 > 40.114.177.156.443: Flags [.], ack 4724, win 1034, options [nop,nop,TS val 4039249455 ecr 1986531570], length 0
03:33:24.679366 IP 192.168.97.18.14493 > 40.114.177.156.443: Flags [P.], seq 1146:1177, ack 4724, win 1035, options [nop,nop,TS val 4039249455 ecr 1986531570], length 31
03:33:24.681793 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [.], ack 1146, win 333, options [nop,nop,TS val 1986531574 ecr 4039249090], length 0
03:33:24.722380 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [.], seq 4724:6148, ack 1146, win 333, options [nop,nop,TS val 1986531613 ecr 4039249090], length 1424
03:33:24.722826 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [P.], seq 6148:7572, ack 1146, win 333, options [nop,nop,TS val 1986531613 ecr 4039249090], length 1424
03:33:24.723209 IP 192.168.97.18.14493 > 40.114.177.156.443: Flags [.], ack 7572, win 1013, options [nop,nop,TS val 4039249496 ecr 1986531613], length 0
03:33:24.724723 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [P.], seq 8996:9884, ack 1146, win 333, options [nop,nop,TS val 1986531613 ecr 4039249090], length 888
03:33:24.724744 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [.], seq 7572:8996, ack 1146, win 333, options [nop,nop,TS val 1986531613 ecr 4039249090], length 1424
03:33:24.725125 IP 192.168.97.18.14493 > 40.114.177.156.443: Flags [.], ack 7572, win 1035, options [nop,nop,TS val 4039249501 ecr 1986531613,nop,nop,sack 1 {8996:9884}], length 0
03:33:24.725167 IP 192.168.97.18.14493 > 40.114.177.156.443: Flags [.], ack 9884, win 999, options [nop,nop,TS val 4039249501 ecr 1986531613], length 0
03:33:24.860770 IP 192.168.97.18.14493 > 40.114.177.156.443: Flags [P.], seq 1177:1463, ack 9884, win 1035, options [nop,nop,TS val 4039249635 ecr 1986531613], length 286
03:33:24.860798 IP 192.168.97.18.14493 > 40.114.177.156.443: Flags [P.], seq 1463:1494, ack 9884, win 1035, options [nop,nop,TS val 4039249635 ecr 1986531613], length 31
03:33:24.861555 IP 192.168.97.18.14493 > 40.114.177.156.443: Flags [P.], seq 1494:1785, ack 9884, win 1035, options [nop,nop,TS val 4039249635 ecr 1986531613], length 291
03:33:24.861612 IP 192.168.97.18.14493 > 40.114.177.156.443: Flags [P.], seq 1785:1816, ack 9884, win 1035, options [nop,nop,TS val 4039249635 ecr 1986531613], length 31
03:33:24.915043 IP 192.168.97.18.14493 > 40.114.177.156.443: Flags [P.], seq 1816:1933, ack 9884, win 1035, options [nop,nop,TS val 4039249690 ecr 1986531613], length 117
03:33:24.915721 IP 192.168.97.18.14493 > 40.114.177.156.443: Flags [P.], seq 1933:2018, ack 9884, win 1035, options [nop,nop,TS val 4039249690 ecr 1986531613], length 85
03:33:24.916193 IP 192.168.97.18.14493 > 40.114.177.156.443: Flags [P.], seq 2018:2108, ack 9884, win 1035, options [nop,nop,TS val 4039249690 ecr 1986531613], length 90
03:33:24.916772 IP 192.168.97.18.14493 > 40.114.177.156.443: Flags [P.], seq 2108:2261, ack 9884, win 1035, options [nop,nop,TS val 4039249690 ecr 1986531613], length 153
03:33:24.917198 IP 192.168.97.18.14493 > 40.114.177.156.443: Flags [P.], seq 2261:2354, ack 9884, win 1035, options [nop,nop,TS val 4039249690 ecr 1986531613], length 93
03:33:24.917670 IP 192.168.97.18.14493 > 40.114.177.156.443: Flags [P.], seq 2354:2445, ack 9884, win 1035, options [nop,nop,TS val 4039249690 ecr 1986531613], length 91
03:33:24.918525 IP 192.168.97.18.14493 > 40.114.177.156.443: Flags [P.], seq 2445:2533, ack 9884, win 1035, options [nop,nop,TS val 4039249690 ecr 1986531613], length 88
03:33:24.920428 IP 192.168.97.18.14493 > 40.114.177.156.443: Flags [P.], seq 2533:2621, ack 9884, win 1035, options [nop,nop,TS val 4039249690 ecr 1986531613], length 88
03:33:24.920455 IP 192.168.97.18.14493 > 40.114.177.156.443: Flags [P.], seq 2621:2709, ack 9884, win 1035, options [nop,nop,TS val 4039249695 ecr 1986531613], length 88
03:33:24.920476 IP 192.168.97.18.14493 > 40.114.177.156.443: Flags [P.], seq 2709:2796, ack 9884, win 1035, options [nop,nop,TS val 4039249695 ecr 1986531613], length 87
03:33:24.920497 IP 192.168.97.18.14493 > 40.114.177.156.443: Flags [P.], seq 2796:2886, ack 9884, win 1035, options [nop,nop,TS val 4039249695 ecr 1986531613], length 90
03:33:24.920518 IP 192.168.97.18.14493 > 40.114.177.156.443: Flags [P.], seq 2886:2971, ack 9884, win 1035, options [nop,nop,TS val 4039249695 ecr 1986531613], length 85
03:33:24.920862 IP 192.168.97.18.14493 > 40.114.177.156.443: Flags [P.], seq 2971:3056, ack 9884, win 1035, options [nop,nop,TS val 4039249695 ecr 1986531613], length 85
03:33:24.981921 IP 40.114.177.156.443 > 192.168.97.18.43498: Flags [.], ack 598, win 336, options [nop,nop,TS val 3429813759 ecr 1108162640], length 0
03:33:24.982316 IP 40.114.177.156.443 > 192.168.97.18.43498: Flags [P.], seq 4057:4344, ack 598, win 336, options [nop,nop,TS val 3429813759 ecr 1108162640], length 287
03:33:24.982394 IP 40.114.177.156.443 > 192.168.97.18.43498: Flags [P.], seq 4344:4631, ack 598, win 336, options [nop,nop,TS val 3429813759 ecr 1108162640], length 287
03:33:24.982507 IP 40.114.177.156.443 > 192.168.97.18.43498: Flags [P.], seq 4631:4693, ack 598, win 336, options [nop,nop,TS val 3429813759 ecr 1108162640], length 62
03:33:24.982608 IP 192.168.97.18.43498 > 40.114.177.156.443: Flags [.], ack 4631, win 1027, options [nop,nop,TS val 1108163006 ecr 3429813759], length 0
03:33:24.983621 IP 40.114.177.156.443 > 192.168.97.18.43498: Flags [.], ack 785, win 335, options [nop,nop,TS val 3429813761 ecr 1108162640], length 0
03:33:24.983639 IP 40.114.177.156.443 > 192.168.97.18.43498: Flags [P.], seq 4693:4724, ack 785, win 335, options [nop,nop,TS val 3429813761 ecr 1108162640], length 31
03:33:24.983854 IP 192.168.97.18.43498 > 40.114.177.156.443: Flags [P.], seq 785:809, ack 4693, win 1035, options [nop,nop,TS val 1108163006 ecr 3429813759], length 24
03:33:24.983878 IP 192.168.97.18.43498 > 40.114.177.156.443: Flags [F.], seq 809, ack 4693, win 1035, options [nop,nop,TS val 1108163006 ecr 3429813759], length 0
03:33:25.085905 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [.], ack 1177, win 333, options [nop,nop,TS val 1986531978 ecr 4039249455], length 0
03:33:25.225622 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [.], ack 1463, win 331, options [nop,nop,TS val 1986532117 ecr 4039249635], length 0
03:33:25.226050 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [P.], seq 9884:10336, ack 1463, win 331, options [nop,nop,TS val 1986532118 ecr 4039249635], length 452
03:33:25.226219 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [P.], seq 10336:10371, ack 1494, win 331, options [nop,nop,TS val 1986532118 ecr 4039249635], length 35
03:33:25.226590 IP 192.168.97.18.14493 > 40.114.177.156.443: Flags [.], ack 10371, win 1035, options [nop,nop,TS val 4039250000 ecr 1986532118], length 0
03:33:25.228781 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [.], ack 1785, win 330, options [nop,nop,TS val 1986532121 ecr 4039249635], length 0
03:33:25.229577 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [P.], seq 10371:10823, ack 1816, win 330, options [nop,nop,TS val 1986532121 ecr 4039249635], length 452
03:33:25.229594 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [P.], seq 10823:10858, ack 1816, win 330, options [nop,nop,TS val 1986532122 ecr 4039249635], length 35
03:33:25.229857 IP 192.168.97.18.14493 > 40.114.177.156.443: Flags [.], ack 10858, win 1035, options [nop,nop,TS val 4039250005 ecr 1986532121], length 0
03:33:25.279320 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [.], ack 1933, win 330, options [nop,nop,TS val 1986532171 ecr 4039249690], length 0
03:33:25.280381 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [.], seq 10858:12282, ack 1933, win 330, options [nop,nop,TS val 1986532172 ecr 4039249690], length 1424
03:33:25.281035 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [P.], seq 12282:13706, ack 1933, win 330, options [nop,nop,TS val 1986532172 ecr 4039249690], length 1424
03:33:25.281442 IP 192.168.97.18.14493 > 40.114.177.156.443: Flags [.], ack 13706, win 1013, options [nop,nop,TS val 4039250055 ecr 1986532172], length 0
03:33:25.282371 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [.], seq 13706:15130, ack 1933, win 330, options [nop,nop,TS val 1986532172 ecr 4039249690], length 1424
03:33:25.282392 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [P.], seq 15130:16554, ack 1933, win 330, options [nop,nop,TS val 1986532172 ecr 4039249690], length 1424
03:33:25.282803 IP 192.168.97.18.14493 > 40.114.177.156.443: Flags [.], ack 16554, win 991, options [nop,nop,TS val 4039250055 ecr 1986532172], length 0
03:33:25.284817 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [.], seq 16554:17978, ack 1933, win 330, options [nop,nop,TS val 1986532172 ecr 4039249690], length 1424
03:33:25.284838 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [P.], seq 17978:19402, ack 1933, win 330, options [nop,nop,TS val 1986532172 ecr 4039249690], length 1424
03:33:25.287370 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [.], seq 19402:20826, ack 1933, win 330, options [nop,nop,TS val 1986532172 ecr 4039249690], length 1424
03:33:25.287392 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [P.], seq 20826:22250, ack 1933, win 330, options [nop,nop,TS val 1986532172 ecr 4039249690], length 1424
03:33:25.287669 IP 192.168.97.18.14493 > 40.114.177.156.443: Flags [.], ack 19402, win 991, options [nop,nop,TS val 4039250060 ecr 1986532172], length 0
03:33:25.287692 IP 192.168.97.18.14493 > 40.114.177.156.443: Flags [.], ack 22250, win 991, options [nop,nop,TS val 4039250060 ecr 1986532172], length 0
03:33:25.289863 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [.], seq 22250:23674, ack 1933, win 330, options [nop,nop,TS val 1986532172 ecr 4039249690], length 1424
03:33:25.289885 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [P.], seq 23674:25098, ack 1933, win 330, options [nop,nop,TS val 1986532172 ecr 4039249690], length 1424
03:33:25.290279 IP 192.168.97.18.14493 > 40.114.177.156.443: Flags [.], ack 25098, win 991, options [nop,nop,TS val 4039250065 ecr 1986532172], length 0
03:33:25.292266 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [.], ack 2018, win 330, options [nop,nop,TS val 1986532173 ecr 4039249690], length 0
03:33:25.292284 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [.], ack 2108, win 330, options [nop,nop,TS val 1986532174 ecr 4039249690], length 0
03:33:25.292294 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [.], ack 2261, win 330, options [nop,nop,TS val 1986532176 ecr 4039249690], length 0
03:33:25.292303 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [.], ack 2354, win 330, options [nop,nop,TS val 1986532176 ecr 4039249690], length 0
03:33:25.292315 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [.], seq 25098:26522, ack 1933, win 330, options [nop,nop,TS val 1986532172 ecr 4039249690], length 1424
03:33:25.294846 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [.], ack 2445, win 330, options [nop,nop,TS val 1986532178 ecr 4039249690], length 0
03:33:25.294864 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [.], ack 2533, win 330, options [nop,nop,TS val 1986532179 ecr 4039249690], length 0
03:33:25.294874 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [.], ack 2621, win 330, options [nop,nop,TS val 1986532181 ecr 4039249690], length 0
03:33:25.294883 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [.], ack 2709, win 330, options [nop,nop,TS val 1986532181 ecr 4039249695], length 0
03:33:25.294892 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [.], ack 2796, win 330, options [nop,nop,TS val 1986532183 ecr 4039249695], length 0
03:33:25.294901 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [.], ack 2886, win 330, options [nop,nop,TS val 1986532184 ecr 4039249695], length 0
03:33:25.294909 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [.], ack 2971, win 330, options [nop,nop,TS val 1986532186 ecr 4039249695], length 0
03:33:25.294918 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [.], ack 3056, win 330, options [nop,nop,TS val 1986532186 ecr 4039249695], length 0
03:33:25.294931 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [P.], seq 26522:27946, ack 1933, win 330, options [nop,nop,TS val 1986532172 ecr 4039249690], length 1424
03:33:25.295266 IP 192.168.97.18.14493 > 40.114.177.156.443: Flags [.], ack 27946, win 1013, options [nop,nop,TS val 4039250070 ecr 1986532172], length 0
03:33:25.348137 IP 40.114.177.156.443 > 192.168.97.18.43498: Flags [.], ack 809, win 335, options [nop,nop,TS val 3429814125 ecr 1108163006], length 0
03:33:25.348157 IP 40.114.177.156.443 > 192.168.97.18.43498: Flags [F.], seq 4724, ack 810, win 335, options [nop,nop,TS val 3429814125 ecr 1108163006], length 0
03:33:25.592910 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [.], seq 27946:29370, ack 3056, win 330, options [nop,nop,TS val 1986532482 ecr 4039250000], length 1424
03:33:25.593353 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [P.], seq 29370:30794, ack 3056, win 330, options [nop,nop,TS val 1986532482 ecr 4039250000], length 1424
03:33:25.594915 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [.], seq 30794:32218, ack 3056, win 330, options [nop,nop,TS val 1986532482 ecr 4039250000], length 1424
03:33:25.594937 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [P.], seq 32218:33642, ack 3056, win 330, options [nop,nop,TS val 1986532482 ecr 4039250000], length 1424
03:33:25.597410 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [.], seq 33642:35066, ack 3056, win 330, options [nop,nop,TS val 1986532486 ecr 4039250005], length 1424
03:33:25.597431 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [P.], seq 35066:36490, ack 3056, win 330, options [nop,nop,TS val 1986532486 ecr 4039250005], length 1424
03:33:25.599853 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [.], seq 36490:37914, ack 3056, win 330, options [nop,nop,TS val 1986532486 ecr 4039250005], length 1424
03:33:25.599875 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [P.], seq 37914:39338, ack 3056, win 330, options [nop,nop,TS val 1986532486 ecr 4039250005], length 1424
03:33:25.646598 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [.], seq 39338:40762, ack 3056, win 330, options [nop,nop,TS val 1986532537 ecr 4039250055], length 1424
03:33:25.647341 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [P.], seq 40762:42186, ack 3056, win 330, options [nop,nop,TS val 1986532537 ecr 4039250055], length 1424
03:33:25.647811 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [.], seq 42186:43610, ack 3056, win 330, options [nop,nop,TS val 1986532537 ecr 4039250055], length 1424
03:33:25.649925 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [P.], seq 43610:45034, ack 3056, win 330, options [nop,nop,TS val 1986532537 ecr 4039250055], length 1424
03:33:25.649946 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [.], seq 45034:46458, ack 3056, win 330, options [nop,nop,TS val 1986532539 ecr 4039250055], length 1424
03:33:25.652385 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [P.], seq 46458:47882, ack 3056, win 330, options [nop,nop,TS val 1986532539 ecr 4039250055], length 1424
03:33:25.652405 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [.], seq 47882:49306, ack 3056, win 330, options [nop,nop,TS val 1986532539 ecr 4039250055], length 1424
03:33:25.654816 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [P.], seq 49306:50730, ack 3056, win 330, options [nop,nop,TS val 1986532539 ecr 4039250055], length 1424
03:33:25.654836 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [.], seq 50730:52154, ack 3056, win 330, options [nop,nop,TS val 1986532544 ecr 4039250060], length 1424
03:33:25.657413 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [P.], seq 52154:53578, ack 3056, win 330, options [nop,nop,TS val 1986532544 ecr 4039250060], length 1424
03:33:25.657434 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [.], seq 53578:55002, ack 3056, win 330, options [nop,nop,TS val 1986532544 ecr 4039250060], length 1424
03:33:25.659873 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [P.], seq 55002:56426, ack 3056, win 330, options [nop,nop,TS val 1986532544 ecr 4039250060], length 1424
03:33:25.659894 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [.], seq 56426:57850, ack 3056, win 330, options [nop,nop,TS val 1986532544 ecr 4039250060], length 1424
03:33:25.662305 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [P.], seq 57850:59274, ack 3056, win 330, options [nop,nop,TS val 1986532544 ecr 4039250060], length 1424
03:33:25.662327 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [.], seq 59274:60698, ack 3056, win 330, options [nop,nop,TS val 1986532544 ecr 4039250060], length 1424
03:33:25.664899 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [.], seq 60698:62122, ack 3056, win 330, options [nop,nop,TS val 1986532546 ecr 4039250065], length 1424
03:33:25.664920 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [P.], seq 62122:63546, ack 3056, win 330, options [nop,nop,TS val 1986532546 ecr 4039250065], length 1424
03:33:25.667381 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [.], seq 63546:64970, ack 3056, win 330, options [nop,nop,TS val 1986532546 ecr 4039250065], length 1424
03:33:25.667402 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [P.], seq 64970:66394, ack 3056, win 330, options [nop,nop,TS val 1986532546 ecr 4039250065], length 1424
03:33:25.669950 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [.], seq 66394:67818, ack 3056, win 330, options [nop,nop,TS val 1986532551 ecr 4039250070], length 1424
03:33:25.669971 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [P.], seq 67818:69242, ack 3056, win 330, options [nop,nop,TS val 1986532551 ecr 4039250070], length 1424
03:33:25.672560 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [.], seq 69242:70666, ack 3056, win 330, options [nop,nop,TS val 1986532551 ecr 4039250070], length 1424
03:33:25.672582 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [P.], seq 70666:72090, ack 3056, win 330, options [nop,nop,TS val 1986532551 ecr 4039250070], length 1424
03:33:25.674918 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [.], seq 72090:73514, ack 3056, win 330, options [nop,nop,TS val 1986532551 ecr 4039250070], length 1424
03:33:26.009368 IP 40.114.177.156.443 > 192.168.97.18.43498: Flags [F.], seq 4724, ack 810, win 335, options [nop,nop,TS val 3429814787 ecr 1108163006], length 0
03:33:26.430682 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [.], seq 73514:74938, ack 3056, win 330, options [nop,nop,TS val 1986533322 ecr 4039250070], length 1424
03:33:27.362875 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [.], seq 27946:29370, ack 3056, win 330, options [nop,nop,TS val 1986534254 ecr 4039250070], length 1424
03:33:29.214735 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [.], seq 27946:29370, ack 3056, win 330, options [nop,nop,TS val 1986536106 ecr 4039250070], length 1424
03:33:32.894993 IP 40.114.177.156.443 > 192.168.97.18.14493: Flags [.], seq 27946:29370, ack 3056, win 330, options [nop,nop,TS val 1986539786 ecr 4039250070], length 1424
03:33:39.360099 IP 192.168.97.18.25924 > 40.114.177.156.443: Flags [S], seq 3328441103, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 3590692645 ecr 0], length 0

Here it is lost and starts a fresh flow. We can see seq 27946:29370 is the one that doesn’t make it anymore. And this is the error:

Oct 20 03:33:25 <local5.info> oper suricata[24054]: @cee: {"timestamp":"2023-10-20T03:33:25.292378+0200","flow_id":1037351338515721,"event_type":"alert","src_ip":"40.114.177.156","src_port":443,"dest_ip":"192.168.97.18","dest_port":14493,"proto":"TCP","pkt_src":"wire/pcap","alert":{"action":"allowed","gid":1,"signature_id":2210044,"rev":2,"signature":"SURICATA STREAM Packet with invalid timestamp","category":"Generic Protocol Command Decode","severity":3},"tls":{"sni":"duckduckgo.com","version":"TLS 1.3","ja3":{"hash":"579ccef312d18482fc42e2b822ca2430","string":"771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49162-49161-49171-49172-156-157-47-53,0-23-65281-10-11-35-16-5-34-51-43-13-45-28-21,29-23-24-25-256-257,0"},"ja3s":{"hash":"15af977ce25de452b96affa2addb1036","string":"771,4866,43-51"}},"app_proto":"tls","direction":"to_client","flow":{"pkts_toserver":38,"pkts_toclient":39,"bytes_toserver":5063,"bytes_toclient":28557,"start":"2023-10-20T03:33:23.569207+0200","src_ip":"192.168.97.18","dest_ip":"40.114.177.156","src_port":14493,"dest_port":443}}
Oct 20 03:33:25 <local5.info> oper suricata[24054]: [1:2210044:2] SURICATA STREAM Packet with invalid timestamp [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 40.114.177.156:443 -> 192.168.97.18:14493
Oct 20 03:33:25 <local5.info> oper suricata[24054]: @cee: {"timestamp":"2023-10-20T03:33:25.295016+0200","flow_id":1037351338515721,"event_type":"alert","src_ip":"40.114.177.156","src_port":443,"dest_ip":"192.168.97.18","dest_port":14493,"proto":"TCP","pkt_src":"wire/pcap","alert":{"action":"allowed","gid":1,"signature_id":2210044,"rev":2,"signature":"SURICATA STREAM Packet with invalid timestamp","category":"Generic Protocol Command Decode","severity":3},"tls":{"sni":"duckduckgo.com","version":"TLS 1.3","ja3":{"hash":"579ccef312d18482fc42e2b822ca2430","string":"771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49162-49161-49171-49172-156-157-47-53,0-23-65281-10-11-35-16-5-34-51-43-13-45-28-21,29-23-24-25-256-257,0"},"ja3s":{"hash":"15af977ce25de452b96affa2addb1036","string":"771,4866,43-51"}},"app_proto":"tls","direction":"to_client","flow":{"pkts_toserver":38,"pkts_toclient":48,"bytes_toserver":5063,"bytes_toclient":30449,"start":"2023-10-20T03:33:23.569207+0200","src_ip":"192.168.97.18","dest_ip":"40.114.177.156","src_port":14493,"dest_port":443}}
Oct 20 03:33:25 <local5.info> oper suricata[24054]: [1:2210044:2] SURICATA STREAM Packet with invalid timestamp [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 40.114.177.156:443 -> 192.168.97.18:14493
Oct 20 03:33:25 <local5.info> oper suricata[24054]: @cee: {"timestamp":"2023-10-20T03:33:25.592949+0200","flow_id":1037351338515721,"event_type":"drop","src_ip":"40.114.177.156","src_port":443,"dest_ip":"192.168.97.18","dest_port":14493,"proto":"TCP","pkt_src":"wire/pcap","direction":"to_client","drop":{"len":1476,"tos":0,"ttl":45,"ipid":39946,"tcpseq":583257085,"tcpack":477849179,"tcpwin":330,"syn":false,"ack":true,"psh":false,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0,"reason":"applayer error"}}
Oct 20 03:33:25 <local5.info> oper suricata[24054]: @cee: {"timestamp":"2023-10-20T03:33:25.593389+0200","flow_id":1037351338515721,"event_type":"drop","src_ip":"40.114.177.156","src_port":443,"dest_ip":"192.168.97.18","dest_port":14493,"proto":"TCP","pkt_src":"wire/pcap","direction":"to_client","drop":{"len":1476,"tos":0,"ttl":45,"ipid":39947,"tcpseq":583258509,"tcpack":477849179,"tcpwin":330,"syn":false,"ack":true,"psh":true,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0,"reason":"flow drop"}}
Oct 20 03:33:25 <local5.info> oper suricata[24054]: @cee: {"timestamp":"2023-10-20T03:33:25.594952+0200","flow_id":1037351338515721,"event_type":"drop","src_ip":"40.114.177.156","src_port":443,"dest_ip":"192.168.97.18","dest_port":14493,"proto":"TCP","pkt_src":"wire/pcap","direction":"to_client","drop":{"len":1476,"tos":0,"ttl":45,"ipid":39948,"tcpseq":583259933,"tcpack":477849179,"tcpwin":330,"syn":false,"ack":true,"psh":false,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0,"reason":"flow drop"}}
Oct 20 03:33:25 <local5.info> oper suricata[24054]: @cee: {"timestamp":"2023-10-20T03:33:25.594990+0200","flow_id":1037351338515721,"event_type":"drop","src_ip":"40.114.177.156","src_port":443,"dest_ip":"192.168.97.18","dest_port":14493,"proto":"TCP","pkt_src":"wire/pcap","direction":"to_client","drop":{"len":1476,"tos":0,"ttl":45,"ipid":39949,"tcpseq":583261357,"tcpack":477849179,"tcpwin":330,"syn":false,"ack":true,"psh":true,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0,"reason":"flow drop"}}

and so on …

Ups, forgot the diff:

--- suricata.yaml.sample        2023-10-06 00:45:39.000000000 +0200
+++ suricata.yaml       2023-10-20 03:29:00.761826000 +0200
@@ -15,7 +15,12 @@
 vars:
   # more specific is better for alert accuracy and performance
   address-groups:
-    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+    HOME_NET: "[***
+    ***
+    ***
+    ***
+    ***
+    ***]"
     #HOME_NET: "[192.168.0.0/16]"
     #HOME_NET: "[10.0.0.0/8]"
     #HOME_NET: "[172.16.0.0/12]"
@@ -65,9 +70,9 @@
   enabled: yes
   # The interval field (in seconds) controls the interval at
   # which stats are updated in the log.
-  interval: 8
+  interval: 600
   # Add decode events to stats.
-  #decoder-events: true
+  decoder-events: true
   # Decoder event prefix in stats. Has been 'decoder' before, but that leads
   # to missing events in the eve.stats records. See issue #2225.
   #decoder-events-prefix: "decoder.event"
@@ -82,7 +87,7 @@
 outputs:
   # a line based alerts log similar to Snort's fast.log
   - fast:
-      enabled: yes
+      enabled: no
       filename: fast.log
       append: yes
       #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
@@ -90,16 +95,16 @@
   # Extensible Event Format (nicknamed EVE) event log in JSON format
   - eve-log:
       enabled: yes
-      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filetype: syslog #regular|syslog|unix_dgram|unix_stream|redis
       filename: eve.json
       # Enable for multi-threaded eve.json output; output files are amended with
       # an identifier, e.g., eve.9.json
       #threaded: false
-      #prefix: "@cee: " # prefix to prepend to each log entry
+      prefix: "@cee: " # prefix to prepend to each log entry
       # the following are valid when type: syslog above
-      #identity: "suricata"
-      #facility: local5
-      #level: Info ## possible levels: Emergency, Alert, Critical,
+      identity: "suricata"
+      facility: local5
+      level: Info ## possible levels: Emergency, Alert, Critical,
                    ## Error, Warning, Notice, Info, Debug
       #ethernet: no  # log ethernet header in events when available
       #redis:
@@ -210,15 +215,15 @@
               # stream: no
               # applayer: yes
             #packethdr: no
-        - http:
-            extended: yes     # enable this for extended logging information
+#        - http:
+#            extended: yes     # enable this for extended logging information
             # custom allows additional HTTP fields to be included in eve-log.
             # the example below adds three additional fields when uncommented
             #custom: [Accept-Encoding, Accept-Language, Authorization]
             # set this value to one and only one from {both, request, response}
             # to dump all HTTP headers for every HTTP request and/or response
             # dump-all-headers: none
-        - dns:
+#        - dns:
             # This configuration uses the new DNS logging format,
             # the old configuration is still available:
             # https://docs.suricata.io/en/latest/output/eve/eve-json-output.html#dns-v1-format
@@ -246,22 +251,22 @@
             # DNS record types to log, based on the query type.
             # Default: all.
             #types: [a, aaaa, cname, mx, ns, ptr, txt]
-        - tls:
-            extended: yes     # enable this for extended logging information
+#        - tls:
+#            extended: yes     # enable this for extended logging information
             # output TLS transaction where the session is resumed using a
             # session id
             #session-resumption: no
             # custom controls which TLS fields that are included in eve-log
             #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s]
-        - files:
-            force-magic: no   # force logging magic on all logged files
+#        - files:
+#            force-magic: no   # force logging magic on all logged files
             # force logging of checksums, available hash functions are md5,
             # sha1 and sha256
             #force-hash: [md5]
-        #- drop:
-        #    alerts: yes      # log alerts that caused drops
-        #    flows: all       # start or all: 'start' logs only a single drop
-        #                     # per flow direction. All logs each dropped pkt.
+        - drop:
+            alerts: yes      # log alerts that caused drops
+            flows: all       # start or all: 'start' logs only a single drop
+                             # per flow direction. All logs each dropped pkt.
             # Enable logging the final action taken on a packet by the engine
             # (will show more information in case of a drop caused by 'reject')
             # verdict: yes
@@ -306,12 +311,12 @@
         - pgsql:
             enabled: no
             # passwords: yes           # enable output of passwords. Disabled by default
-        - stats:
-            totals: yes       # stats for all threads merged together
-            threads: no       # per thread stats
-            deltas: no        # include delta values
+#        - stats:
+#            totals: yes       # stats for all threads merged together
+#            threads: no       # per thread stats
+#            deltas: no        # include delta values
         # bi-directional flows
-        - flow
+#        - flow
         # uni-directional flows
         #- netflow
 
@@ -434,7 +439,7 @@
 
   # Stats.log contains data from various counters of the Suricata engine.
   - stats:
-      enabled: yes
+      enabled: no
       filename: stats.log
       append: yes       # append to file (yes) or overwrite it (no)
       totals: yes       # stats for all threads merged together
@@ -443,12 +448,12 @@
 
   # a line based alerts log similar to fast.log into syslog
   - syslog:
-      enabled: no
+      enabled: yes
       # reported identity to syslog. If omitted the program name (usually
       # suricata) will be used.
       #identity: "suricata"
       facility: local5
-      #level: Info ## possible levels: Emergency, Alert, Critical,
+      level: Info ## possible levels: Emergency, Alert, Critical,
                    ## Error, Warning, Notice, Info, Debug
 
   # Output module for storing files on disk. Files are stored in
@@ -561,7 +566,7 @@
   # compiled with the --enable-debug configure option.
   #
   # This value is overridden by the SC_LOG_LEVEL env var.
-  default-log-level: notice
+  default-log-level: info
 
   # The default output format.  Optional parameter, should default to
   # something reasonable if not provided.  Can be overridden in an
@@ -588,16 +593,16 @@
   # disabled you will get the default: console output.
   outputs:
   - console:
-      enabled: yes
+      enabled: no
       # type: json
   - file:
-      enabled: yes
+      enabled: no
       level: info
       filename: suricata.log
       # format: "[%i - %m] %z %d: %S: %M"
       # type: json
   - syslog:
-      enabled: no
+      enabled: yes
       facility: local5
       format: "[%i] <%d> -- "
       # type: json
@@ -908,7 +913,16 @@
       #
       # For best performance, select 'bypass'.
       #
-      #encryption-handling: default
+      # Problem mit 7.0.0: (v.a.) HTTP/2 sessions brechen ab. Grund:
+      # suricata findet (wie schon bisher) "Packet with invalid
+      # timestamp" (1:2210044), aber nun (neu mit 7) wird daraus ein
+      # "applayer error" und ein "flow drop". Den 1:2210044 disablen
+      # hilft nix, er wird dann nicht mehr gemeldet, aber dennoch der
+      # "applayer error" und "flow drop". "error-policy: ignore" hier
+      # weiter oben sollte das zwar verhindern, ist offenbar schon
+      # default, wirkt aber auch nicht. 
+      # Abhilfe: hier von (auskommentiertem) default auf bypass schalten:
+      #encryption-handling: bypass
 
     pgsql:
       enabled: no
@@ -1189,9 +1203,9 @@
 ##
  # Run Suricata with a specific user-id and group-id:
-#run-as:
-#  user: suri
-#  group: suri
+run-as:
+  user: pmc
+  group: pmc
 
 security:
   # if true, prevents process creation from Suricata by calling
@@ -1358,8 +1372,8 @@
 # like a routing table so the most specific entry matches.
 host-os-policy:
   # Make the default policy windows.
-  windows: [0.0.0.0/0]
-  bsd: []
+  windows: []
+  bsd: [0.0.0.0/0]
   bsd-right: []
   old-linux: []
   linux: []
@@ -1573,6 +1587,7 @@
   checksum-validation: yes      # reject incorrect csums
   #midstream: false
   #midstream-policy: ignore
+  drop-invalid: no
   inline: auto                  # auto will use inline mode in IPS mode, yes or no set it statically
   reassembly:
     memcap: 256mb
@@ -2141,7 +2156,7 @@
 ## Configure Suricata to load Suricata-Update managed rules.
 ##
 
-default-rule-path: /var/lib/suricata/rules
+default-rule-path: /var/db/suricata/rules
 
 rule-files:
   - suricata.rules

Found another one that needed adjustment:

@@ -1153,8 +1153,8 @@
     dhcp:
       enabled: yes
 
     sip:
-      #enabled: yes
+      enabled: no
 
 # Limit for the maximum number of asn1 frames to decode (default 256)
 asn1-max-frames: 256

If I don’t do that, telephony won’t work, and much better: it does not just block telephony, it makes the telco tell callers that my numbers don’t even exist! Thats whopping!

Over all, I like that new style in Rel.7. It really does something with the stuff that’s not obviousely intended to flow. :slight_smile: This is now a real complement to my firewalls. Will get used to it.

i am facing issue with suricata 7.0.2 version
ips.drop_reason.flow_drop | Total | 614

i am using suricata with af-packet inline mode layer2 my server is 40 core with 256gb ram, all configuration from interface to .yml file is correct. could anyone please give me solution for this…

Hi, could you please open a new topic and add more info, for instance, your stats log, for us to have a broader picture, and then maybe see if this behavior is expected or not?

(As usual, will also add that, if it would be possible for you to update your Suricata, that would be ideal, as sometimes bugs can also lead to unexpected behaviors)