Bug #1823
closed3.1dev (rev 50b33ad) not dropping packets (consistently) in IPS mode
Description
I'm running 3.1dev Suricata. I've been trying to diagnose an issue with my IDS/IPS for over a month and now need help.
I was previously running Suricata 2.1 but was forced to upgrade due to a different issue, a segfault which went away after the upgrade.
My Suricata uses scirius.rules (Stamus Networks) and I've noticed that some rules I change from 'alert' to 'drop' are no longer dropped as they used to be in Suricata 2.1. I've confirmed by checking fast.log verses drop.log for these specific rules.
There's some other subtle changes in fast.log I've noticed than may (or may not) be related.
Example: in Suricata 2.1 a packet dropped would look like:
06/22/2016-21:16:23.816623 [Drop] [1:2200037:1] SURICATA TCP duplicated option
In Suricata 3.01dev they look like
06/22/2016-21:16:23.816623 [Drop] [**] [1:2200037:1] SURICATA TCP duplicated option
The [**] is normally used to represent an alert in fast.log. But we appear to get both [Drop] and [**].
The reason I've chosen this example is that even though fast.log says the packet was dropped, it's not shown in drop.log.
I also have another rule file which I manually created, called local.rules. My suricata.yaml calls both scirius.rules and local.rules but only local.rules packet matches are shown as dropped in fast.log and drop.log.
scirius.rules patterns that are marked as 'drop' instead of 'alert' are not acted upon and may as well be 'alert'. Yet local.rules patterns that are marked as 'drop' are actually dropped (according to drop.log at least).
syslog doesn't show up any obvious errors, nor does suricata-start.log, or any other log that I can find.
I also have issues with ElasticSearch which died after the upgrade to 3.01 but that's another story. I just want to get the Suricata IDS part working for the moment.
Machine info:
3 NICS, 1 x mgt, 1 x inside, 1 x outside
Linux SELKS 3.18.11-stamus #1 SMP Sun Apr 12 05:32:17 EDT 2015 x86_64 GNU/Linux
suricata --build-info
This is Suricata version 3.1dev (rev 50b33ad)
Features: NFQ PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK HAVE_NSS HAVE_LUA HAVE_LUAJIT HAVE_LIBJANSSON TLS
SIMD support: none
Atomic intrisics: 1 2 4 8 byte(s)
64-bits, Little-endian architecture
GCC version 4.9.2, C version 199901
compiled with _FORTIFY_SOURCE=2
L1 cache line size (CLS)=64
thread local storage method: __thread
compiled with LibHTP v0.5.19, linked against LibHTP v0.5.19
Suricata Configuration:
AF_PACKET support: yes
PF_RING support: no
NFQueue support: yes
NFLOG support: no
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: no
Unix socket enabled: yes
Detection enabled: yeslibnss support: yes
libnspr support: yes
libjansson support: yes
hiredis support: no
Prelude support: no
PCRE jit: no, libpcre 8.35 blacklisted
LUA support: yes, through luajit
libluajit: yes
libgeoip: yes
Non-bundled htp: yes
Old barnyard2 support: no
CUDA enabled: no
Hyperscan support: noSuricatasc install: yesUnit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Profiling enabled: no
Profiling locks enabled: no
Coccinelle / spatch: noGeneric build parameters:
Installation prefix: /usr
Configuration directory: /etc/suricata/
Log directory: /var/log/suricata/
--prefix /usr
--sysconfdir /etc
--localstatedir /varHost: x86_64-pc-linux-gnu
Compiler: gcc (exec name) / gcc (real)
GCC Protect enabled: yes
GCC march native enabled: no
GCC Profile enabled: no
Position Independent Executable enabled: yes
CFLAGS -g -O2 -fstack-protector-strong -Wformat -Werror=format-security
PCAP_CFLAGS -I/usr/include
SECCFLAGS -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-securitysuricata-start.log contents:
[19485] 22/6/2016 -- 21:25:43 - (suricata.c:1079) <Notice> (SCPrintVersion) -- This is Suricata version 3.1dev (rev 50b33ad)
[19485] 22/6/2016 -- 21:25:43 - (util-cpu.c:170) <Info> (UtilCpuPrintSummary) -- CPUs/cores online: 8
[19485] 22/6/2016 -- 21:25:43 - (util-device.c:160) <Info> (LiveBuildDeviceListCustom) -- Adding interface eth1 from config file
[19485] 22/6/2016 -- 21:25:43 - (util-device.c:160) <Info> (LiveBuildDeviceListCustom) -- Adding interface eth2 from config file
[19485] 22/6/2016 -- 21:25:43 - (suricata.c:993) <Info> (ParseInterfacesList) -- AF_PACKET: Setting IPS mode
[19485] 22/6/2016 -- 21:25:43 - (app-layer-htp.c:2220) <Info> (HTPConfigSetDefaultsPhase2) -- 'default' server has 'request-body-minimal-inspect-size' set to 33882 and 'request-body-inspect-window' set to 4053 after randomization.
[19485] 22/6/2016 -- 21:25:43 - (app-layer-htp.c:2235) <Info> (HTPConfigSetDefaultsPhase2) -- 'default' server has 'response-body-minimal-inspect-size' set to 33695 and 'response-body-inspect-window' set to 4218 after randomization.
[19485] 22/6/2016 -- 21:25:43 - (app-layer-dns-udp.c:337) <Info> (DNSUDPConfigure) -- DNS request flood protection level: 500
[19485] 22/6/2016 -- 21:25:43 - (app-layer-dns-udp.c:349) <Info> (DNSUDPConfigure) -- DNS per flow memcap (state-memcap): 524288
[19485] 22/6/2016 -- 21:25:43 - (app-layer-dns-udp.c:361) <Info> (DNSUDPConfigure) -- DNS global memcap: 16777216
[19485] 22/6/2016 -- 21:25:43 - (app-layer-modbus.c:1449) <Info> (RegisterModbusParsers) -- Modbus request flood protection level: 500
[19485] 22/6/2016 -- 21:25:43 - (defrag-hash.c:209) <Info> (DefragInitConfig) -- allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
[19485] 22/6/2016 -- 21:25:43 - (defrag-hash.c:234) <Info> (DefragInitConfig) -- preallocated 65535 defrag trackers of size 168
[19485] 22/6/2016 -- 21:25:43 - (defrag-hash.c:241) <Info> (DefragInitConfig) -- defrag memory usage: 14679896 bytes, maximum: 33554432
[19485] 22/6/2016 -- 21:25:43 - (detect-pcre.c:127) <Info> (DetectPcreRegister) -- Using PCRE match-limit-recursion setting of: 1522
Any help appreciated.
Michael
Updated by Peter Manev almost 8 years ago
Are the drop rules still in scirius.rules? I am asking since after a rule update you can end up with all rules being switched to "alert" again. (especially since you mention that local.rules works as expected)
There are a lot of breaking changes from ES 1.x to 2.x including from Kbana 3 to Kibana 4 - hence no real upgrade path to SELKS 3.0RC1.
Updated by Andreas Herz almost 8 years ago
- Assignee set to Peter Manev
- Target version set to TBD
Updated by Michael Dods almost 8 years ago
Yes the drop rules are in scirius.rules. I have a daily script that replaces 'alert' with 'drop' after the nightly updates based on certain keywords within the classifications. It's been working well up until now.
I got my ElasticSearch working again. Nuked all the shards with curl. started again and all working except the suricata engine issues. There seems a bit of instability in the RC1 engine. It even shows dropped packets in drop.log that aren't shown as dropped in fast.log.
I'll have to wait for some of the bugs to be ironed out...
Updated by Andreas Herz almost 8 years ago
Could you provide us with some example rules and maybe even a pcap so we can try to reproduce that issue?
Updated by Andreas Herz almost 7 years ago
- Status changed from New to Closed
Closed (no response in 9months).