Hi,
I am running suricata in IPS mode. I have just one simple rule, which is to alert me of any ip traffic. The rule is triggering fine. However, all of my tcp packets are being dropped.
I am not sure why this is happening.
Hi,
can you give us more details about your setup? How you run and configured Suricata, what version you use etc.?
There can be multiple reasons for that to happen.
I am using 6.0.2. the latest version. I did not change much in the config file, only the max-pending-packets.
My home network is the one i am protecting. I am using the gateway configuration where suricata ips inspects the traffic that passes through it.
Please provide the config and the start command so we can get those necessary details.
Did you change the rule from “alert” to “drop”?
The command I am using to run is “sudo suricata -c /etc/suricata/suricata.yaml -q 0 -v”
My iptables config is sudo iptables -I FORWARD -i eth4 -o eth7 -j NFQUEUE
My rules is : alert tcp any any → any any (msg: “TCP Packet found”; ) just to test.
My config file is:
suricata.yaml (70.7 KB)
-
What about the other direction of the packets coming from eth7 to eth4?
-
This will generate a lot of log messages, this might be the issue. What happens if you don’t run that rule?
-
Post stats.log as well
Right now I am controlling the node connected to eth7 so there is no traffic in that direction. The udp and icmp traffic passes just fine.
Let me replicate the error, I will post stats.log shortly.
Thanks
Here is the stats.log file.
stats.zip (658.9 KB)
When I ping using ICMP or UDP, my packets are delivered, but not with TCP.
So I solved the problem by setting drop-invalid to no in the stream settings in suricata.yaml. I am not sure why it was considering the packets to be invalid because I generated them using hping3, and they seem fine.
Hi there, I know it’s an old thread. However, I have just bumped into the same issue. I am running Suricata in IPS mode with AF_PACKET and did understand what happens to my packets sent by Pktgen-DPDK app (default setting). The packets were copied when I was using a PCAP file replay (that has only UDP packets). So, after changing Pktgen to send UDP instead of the default TCP, packets are copied from the RX interface to the TX interface by Suricata.
I also tried the above “solution” to set the drop-invalid field to no in the stream setting, but it does not solve my problem. TCP packets are simply not copied.
Found solution here
The key was to set the exception-policy from auto to either ignore or bypass.
1 Like
Thanks @cs.lev, I was also facing the same issue. Setting drop-invalid didn’t work for me, updating exception-policy did the trick. However, when I set exception-policy to bypass, the rules like drop ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7; metadata:created_at 2010_09_23, updated_at 2019_07_26;) did not work. Setting exception-policy to ignore is what worked for me.
when you say it did not work, does it mean that finally the TCP packets were forwarded and not dropped, but then if you have a drop rule, packets matching on it were also “blindly” forwarded?
Hi @cs.lev, yeah that’s correct, the packets were being forward despite having a drop rule.
sounds like an unintended behaviour 
Anyway, at least you manage to get it working.