Suricata6 drops flow

kajamuhaiyadeen · April 10, 2025, 12:07pm

Hi Team,

In Suricata 6.0.12 I see below flow drop log but unable to troubleshoot the root cause for this drop. Can somebody share the reason/troubleshooting steps for fixing the below flow drop error ?

{
“timestamp”: “2025-04-10T05:24:26.547841-0400”,
“flow_id”: 1001867926354188,
“in_iface”: “bond_switch”,
“event_type”: “drop”,
“vlan”: [
400
],
“src_ip”: “10.142.255.2”,
“src_port”: 9472,
“dest_ip”: “10.144.76.26”,
“dest_port”: 8080,
“proto”: “TCP”,
“drop”: {
“len”: 1420,
“tos”: 0,
“ttl”: 60,
“ipid”: 60304,
“tcpseq”: 3465590511,
“tcpack”: 1260621580,
“tcpwin”: 507,
“syn”: false,
“ack”: true,
“psh”: false,
“rst”: false,
“urg”: false,
“fin”: false,
“tcpres”: 0,
“tcpurgp”: 0,
“reason”: “flow drop”
}
}

Jeff_Lucovsky · April 10, 2025, 1:25pm

Hi, thanks for posting to our community.

Suricata 6 is no longer supported; we urge you to use the latest stable release – Suricata 7.0.10

There’s not enough information in your post - we ask that additional information including deployment (ids or ips?) configuration (suricata.yaml), how suricata was installed (source or package), host OS, etc.

Please try Suricata 7.0.10 and if it reproduces with that version, please post here with additional contextual information so we can better help.

kajamuhaiyadeen · April 10, 2025, 1:37pm

"We have deployed Suricata as an IPS, operating in bridge mode, and installed it from the source. It is running on Red Hat Enterprise Linux release 8.8 (Ootpa).

Due to the sensitive nature of the suricata.yaml file, we are unable to share it in its entirety. However, if you require specific sections, please let us know, and we can share them.

We understand that Suricata 6 is outdated, and while we are working on upgrading it, we would like to know if any workarounds can be implemented in the meantime to address the flow drop issue."

Jeff_Lucovsky · April 10, 2025, 1:42pm

There’s still not enough information to fully describe what’s happening.

As an experiment, there’s a setting in suricata.yaml that could be changed: exception-policy: ignore to see what effect it has.

This is just a guess based on limited information.

kajamuhaiyadeen · April 10, 2025, 1:45pm

What would be the impact of setting exception-policy: ignore? Is this exception policy supported in Suricata 6.0.12? Additionally, under which section of the suricata.yaml file (e.g., stream, flow, etc.) should this be configured?

Let me know what are all other information required from the suricata.

Jeff_Lucovsky · April 10, 2025, 1:50pm

My guess was incorrect as in Suricata 6, the default value auto has the same effect as ignore.

You could provide your suricata.yaml file after removing the rule variables (those are typically the only sensitive part of the file).

I’d be willing to take a brief look but as Suri 6 is no longer supported, my recommendation is to deploy Suricata 7.0.10 to stay current with respect to bug fixes, security and performance fixes.

kajamuhaiyadeen · April 10, 2025, 2:47pm

I found the problematic rule.