Project

General

Profile

Actions

Bug #2933

closed

Suricata 4.1.3 block flow

Added by Anthony h over 3 years ago. Updated 8 months ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,

I use Suricata 4.1.3 on Debian 9
I use the followinf iptables command to redirect flow to Suricata

iptables -A FORWARD -d xxx.xxx.xxx.xxx -m state --state RELATED,ESTABLISHED -j NFQUEUE --queue-num 1
iptables -A FORWARD -s xxx.xxx.xxx.xxx -j NFQUEUE --queue-num 1

Sometimes, Suricata seems drop all packet without informations in logs files.

I need to kill Suricata, then I put iptables -I FORWAD -j ACCEPT and then I restart Suricata like this:
/usr/bin/suricata -c /etc/suricata/suricata.yaml -q 1

To finish I remove the iptables rules: iptables -D FORWAD -j ACCEPT

This problems is appeared with release 4.1.3

Before with Suricata 4.1.2 I have no problem.

Is it a bug of Suricata?

Thank you

Anthony

Actions #1

Updated by Anthony h over 3 years ago

For more information, I configure Suricata like this:

./configure --enable-nfqueue --with-libnss-libraries=/usr/lib --with-libnss-includes=/usr/include/nss/ --with-libnspr-libraries=/usr/include/nspr --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/ --with-libhtp-libraries=/usr/lib/ --enable-gccprotect --disable-gccmarch-native

Actions #2

Updated by Andreas Herz over 3 years ago

Do you see anything interesting at that time where you have those drops? Also look into system logs and the load of the system.
Without more details it's rather hard to tell why this happens.

Actions #3

Updated by Anthony h over 3 years ago

I have nothing in syslog or message file.

Is it possible to activate a debug in order to have more information of Suricata?

I will try with the new release 4.1.4.

Actions #4

Updated by Andreas Herz over 3 years ago

  • Assignee set to Community Ticket
  • Target version set to TBD

Yes you can run ./configure with --enable-debug as described here: https://blog.inliniac.net/2010/01/04/suricata-debugging/

Actions #5

Updated by Andreas Herz 8 months ago

  • Status changed from New to Closed

Hi, we're closing this issue since there have been no further responses.
If you think this issue is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs

Actions

Also available in: Atom PDF