"Drop" action is logged as "allowed" in af_packet and netmap modes
Version: current git master.
It seems that commit 4474889667d664a66c1c123f4f7d2756e8a7fbb9 has broken AFPRunModeIsIPS() and NetmapRunModeIsIPS(). These functions are called from ParseInterfacesList() and work with 'real' live devices list. However, when ParseInterfacesList() is called, the list is empty because LiveDeviceFinalize() was not called yet. As a result, EngineModeSetIPS() is not called and this obviously breaks logging and, probably, some other things.
Currently I have no idea how to do things right (in other words, correct and good looking). Probably we need to move some blocks from ParseInterfacesList() to somewhere else, after LiveDeviceFinalize().
Updated by Alexander Gozman about 4 years ago
Eric Leblond wrote:
Thanks Alexander for the very detailed report. I have implemented your suggestion.
Could you try the following branch: https://github.com/regit/suricata/tree/bug-2552 ?
Eric, thank you for the quick feedback. Tried the patch, everything works fine (logged action is "blocked").