Project

General

Profile

Actions

Bug #2646

closed

suricata-update fails when suricata is running because the TCP connection is closed incorrectly

Added by Richum _ over 5 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

Software
----------------
  • Ubuntu 18.04.1 LTS
  • Kernel 4.15.0-33-generic #36-Ubuntu SMP
  • Suricata 4.0.5 RELEASE
Configuration
----------------
  • Suricata is running in IPS mode (NFQ)
  • Rules are only set to alert, not to block (blocking does work btw)

The problem
----------------
When running suricata-update the process blocks while trying to download a file. This only happens when suricata is running. If I stop suricata and re-run suricata-update everything goes fine.

I do not experience any other noticable networking problems while suricata is running.

Network analysis
----------------
  • When suricata is disabled the server ends the connection with the FIN flag, the client responds with the RST flag
  • When suricata is enabled the client closes the connection with the FIN flag, the server responds with FIN/ACK but the clients ignores these causing retransmissions

The original PCAP files can be found in the attachments.


Files

suricata-bad-extracted.pcapng (8.92 KB) suricata-bad-extracted.pcapng Richum _, 10/23/2018 09:01 PM
suricata-good-extracted.pcapng (18.2 KB) suricata-good-extracted.pcapng Richum _, 10/23/2018 09:01 PM
rules.v4 (1.1 KB) rules.v4 Richum _, 10/24/2018 04:49 PM
suricata.yaml (66.5 KB) suricata.yaml Richum _, 10/24/2018 04:49 PM
Actions

Also available in: Atom PDF