Bug #2552
closed"Drop" action is logged as "allowed" in af_packet and netmap modes
Description
Version: current git master.
It seems that commit 4474889667d664a66c1c123f4f7d2756e8a7fbb9 has broken AFPRunModeIsIPS() and NetmapRunModeIsIPS(). These functions are called from ParseInterfacesList() and work with 'real' live devices list. However, when ParseInterfacesList() is called, the list is empty because LiveDeviceFinalize() was not called yet. As a result, EngineModeSetIPS() is not called and this obviously breaks logging and, probably, some other things.
Currently I have no idea how to do things right (in other words, correct and good looking). Probably we need to move some blocks from ParseInterfacesList() to somewhere else, after LiveDeviceFinalize().
Updated by Eric Leblond almost 6 years ago
Thanks Alexander for the very detailed report. I have implemented your suggestion.
Could you try the following branch: https://github.com/regit/suricata/tree/bug-2552 ?
Updated by Alexander Gozman almost 6 years ago
Eric Leblond wrote:
Thanks Alexander for the very detailed report. I have implemented your suggestion.
Could you try the following branch: https://github.com/regit/suricata/tree/bug-2552 ?
Eric, thank you for the quick feedback. Tried the patch, everything works fine (logged action is "blocked").
Updated by Victor Julien over 5 years ago
- Status changed from New to Closed
- Target version set to 4.1rc2
Updated by Alexander Gozman over 5 years ago
Victor Julien wrote:
Does this affect 4.0.x?
IMHO no, because 4.0.x handles "live devices" in an old way. There's no LiveDeviceFinalize() there.