Bug #2646
closedsuricata-update fails when suricata is running because the TCP connection is closed incorrectly
Description
----------------
- Ubuntu 18.04.1 LTS
- Kernel 4.15.0-33-generic #36-Ubuntu SMP
- Suricata 4.0.5 RELEASE
----------------
- Suricata is running in IPS mode (NFQ)
- Rules are only set to alert, not to block (blocking does work btw)
The problem
----------------
When running suricata-update the process blocks while trying to download a file. This only happens when suricata is running. If I stop suricata and re-run suricata-update everything goes fine.
I do not experience any other noticable networking problems while suricata is running.
Network analysis----------------
- When suricata is disabled the server ends the connection with the FIN flag, the client responds with the RST flag
- When suricata is enabled the client closes the connection with the FIN flag, the server responds with FIN/ACK but the clients ignores these causing retransmissions
The original PCAP files can be found in the attachments.
Files
Updated by Victor Julien over 5 years ago
This is strange, the pcaps are processed normally w/o issues. The only half-clue I see is that the bad session sends an 'encrypted alert' much sooner than the good session.
How did you capture these pcaps?
Updated by Richum _ over 5 years ago
- File rules.v4 rules.v4 added
- File suricata.yaml suricata.yaml added
I captured the traffic locally using tshark. The machine has two phsyical NICs and is configured as a router running suricata.
Just for some extra information I attached the following configuration files:
/etc/iptables/rules.v4
/etc/suricata/suricata.yaml
Because I do not use IPv6 in my local network the IPv6 stack is disabled on the machine.
Maybe this is a configuration issue because of my lack of experience with suricata?
Updated by Richum _ over 5 years ago
This issue can be closed. I have no idea what caused this behaviour but since updating the system (and replacing Logstash with Filebeat to reduce memory usage) this issue has gone away.