Bug #2933
closedSuricata 4.1.3 block flow
Description
Hi,
I use Suricata 4.1.3 on Debian 9
I use the followinf iptables command to redirect flow to Suricata
iptables -A FORWARD -d xxx.xxx.xxx.xxx -m state --state RELATED,ESTABLISHED -j NFQUEUE --queue-num 1
iptables -A FORWARD -s xxx.xxx.xxx.xxx -j NFQUEUE --queue-num 1
Sometimes, Suricata seems drop all packet without informations in logs files.
I need to kill Suricata, then I put iptables -I FORWAD -j ACCEPT and then I restart Suricata like this:
/usr/bin/suricata -c /etc/suricata/suricata.yaml -q 1
To finish I remove the iptables rules: iptables -D FORWAD -j ACCEPT
This problems is appeared with release 4.1.3
Before with Suricata 4.1.2 I have no problem.
Is it a bug of Suricata?
Thank you
Anthony
Updated by Anthony h over 5 years ago
For more information, I configure Suricata like this:
./configure --enable-nfqueue --with-libnss-libraries=/usr/lib --with-libnss-includes=/usr/include/nss/ --with-libnspr-libraries=/usr/include/nspr --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/ --with-libhtp-libraries=/usr/lib/ --enable-gccprotect --disable-gccmarch-native
Updated by Andreas Herz over 5 years ago
Do you see anything interesting at that time where you have those drops? Also look into system logs and the load of the system.
Without more details it's rather hard to tell why this happens.
Updated by Anthony h over 5 years ago
I have nothing in syslog or message file.
Is it possible to activate a debug in order to have more information of Suricata?
I will try with the new release 4.1.4.
Updated by Andreas Herz over 5 years ago
- Assignee set to Community Ticket
- Target version set to TBD
Yes you can run ./configure with --enable-debug as described here: https://blog.inliniac.net/2010/01/04/suricata-debugging/
Updated by Andreas Herz almost 3 years ago
- Status changed from New to Closed
Hi, we're closing this issue since there have been no further responses.
If you think this issue is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs