Hello,
We have suricata version “6.0.15” running on Ubuntu 20.04.6 for more than 6 months now.
We have setup Suricata in IPS mode and have enabled nfqueue feature.
The problem we are facing is that, when we try to reject the incoming packets matching specific signature, it does reject the packet, but the connection still remains intact without it being closed. Is there a way to also close the “http” connection so that we don’t starve on resources.
Below is the example of the problem:
We have a signature as below
##################
reject http $HOME_NET any → $EXTERNAL_NET any (msg:“ET POLICY Vulnerable Java Version 1.8.x Detected”; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; http.user_agent; content:“Java/1.8.0_”; content:!“411”; within:3; threshold: type limit, count 2, seconds 300, track by_src; reference:url,JDK 8 Update Release Notes; classtype:bad-unknown; sid:2019401; rev:41; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2014_10_15, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2024_04_29, reviewed_at 2023_09_22;)
##################
When i try to trigger this signature by executing curl command "curl -v https://10.183.113.113/ifas/irq/mongojumbo/test1 -H “User-agent: Java/1.8.0_302” , it does reject the packet and doesnt respond with a “200” status code (works as expected) however at the same time it also fails to close the “curl” request connection. The connection will be active for almost 5 minutes until it reaches the timeout. Is there any possible way to close the connection immediately so that it doesnt have to wait until timeout occurs?