Hi Team,
In Suricata 6.0.12 I see below flow drop log but unable to troubleshoot the root cause for this drop. Can somebody share the reason/troubleshooting steps for fixing the below flow drop error ?
{
“timestamp”: “2025-04-10T05:24:26.547841-0400”,
“flow_id”: 1001867926354188,
“in_iface”: “bond_switch”,
“event_type”: “drop”,
“vlan”: [
400
],
“src_ip”: “10.142.255.2”,
“src_port”: 9472,
“dest_ip”: “10.144.76.26”,
“dest_port”: 8080,
“proto”: “TCP”,
“drop”: {
“len”: 1420,
“tos”: 0,
“ttl”: 60,
“ipid”: 60304,
“tcpseq”: 3465590511,
“tcpack”: 1260621580,
“tcpwin”: 507,
“syn”: false,
“ack”: true,
“psh”: false,
“rst”: false,
“urg”: false,
“fin”: false,
“tcpres”: 0,
“tcpurgp”: 0,
“reason”: “flow drop”
}
}
Hi, thanks for posting to our community.
Suricata 6 is no longer supported; we urge you to use the latest stable release – Suricata 7.0.10
There’s not enough information in your post - we ask that additional information including deployment (ids or ips?) configuration (suricata.yaml), how suricata was installed (source or package), host OS, etc.
Please try Suricata 7.0.10 and if it reproduces with that version, please post here with additional contextual information so we can better help.
"We have deployed Suricata as an IPS, operating in bridge mode, and installed it from the source. It is running on Red Hat Enterprise Linux release 8.8 (Ootpa).
Due to the sensitive nature of the suricata.yaml file, we are unable to share it in its entirety. However, if you require specific sections, please let us know, and we can share them.
We understand that Suricata 6 is outdated, and while we are working on upgrading it, we would like to know if any workarounds can be implemented in the meantime to address the flow drop issue."
There’s still not enough information to fully describe what’s happening.
As an experiment, there’s a setting in suricata.yaml that could be changed: exception-policy: ignore to see what effect it has.
This is just a guess based on limited information.
What would be the impact of setting exception-policy: ignore? Is this exception policy supported in Suricata 6.0.12? Additionally, under which section of the suricata.yaml file (e.g., stream, flow, etc.) should this be configured?
Let me know what are all other information required from the suricata.
My guess was incorrect as in Suricata 6, the default value auto has the same effect as ignore.
You could provide your suricata.yaml file after removing the rule variables (those are typically the only sensitive part of the file).
I’d be willing to take a brief look but as Suri 6 is no longer supported, my recommendation is to deploy Suricata 7.0.10 to stay current with respect to bug fixes, security and performance fixes.
I found the problematic rule.
1 Like