Project

General

Profile

Bug #2933

Suricata 4.1.3 block flow

Added by Anthony h 2 months ago. Updated 25 days ago.

Status:
New
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,

I use Suricata 4.1.3 on Debian 9
I use the followinf iptables command to redirect flow to Suricata

iptables -A FORWARD -d xxx.xxx.xxx.xxx -m state --state RELATED,ESTABLISHED -j NFQUEUE --queue-num 1
iptables -A FORWARD -s xxx.xxx.xxx.xxx -j NFQUEUE --queue-num 1

Sometimes, Suricata seems drop all packet without informations in logs files.

I need to kill Suricata, then I put iptables -I FORWAD -j ACCEPT and then I restart Suricata like this:
/usr/bin/suricata -c /etc/suricata/suricata.yaml -q 1

To finish I remove the iptables rules: iptables -D FORWAD -j ACCEPT

This problems is appeared with release 4.1.3

Before with Suricata 4.1.2 I have no problem.

Is it a bug of Suricata?

Thank you

Anthony

History

#1

Updated by Anthony h 2 months ago

For more information, I configure Suricata like this:

./configure --enable-nfqueue --with-libnss-libraries=/usr/lib --with-libnss-includes=/usr/include/nss/ --with-libnspr-libraries=/usr/include/nspr --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/ --with-libhtp-libraries=/usr/lib/ --enable-gccprotect --disable-gccmarch-native

#2

Updated by Andreas Herz about 2 months ago

Do you see anything interesting at that time where you have those drops? Also look into system logs and the load of the system.
Without more details it's rather hard to tell why this happens.

#3

Updated by Anthony h about 1 month ago

I have nothing in syslog or message file.

Is it possible to activate a debug in order to have more information of Suricata?

I will try with the new release 4.1.4.

#4

Updated by Andreas Herz 25 days ago

  • Assignee set to Community Ticket
  • Target version set to TBD

Yes you can run ./configure with --enable-debug as described here: https://blog.inliniac.net/2010/01/04/suricata-debugging/

Also available in: Atom PDF