Project

General

Profile

Actions
Copy link

Bug #2933

closed

Suricata 4.1.3 block flow

Added by Anthony h about 5 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Community Ticket
Target version:
TBD
Affected Versions:
4.1.3
Effort:
Difficulty:
Label:

Description

Hi,

I use Suricata 4.1.3 on Debian 9
I use the followinf iptables command to redirect flow to Suricata

iptables -A FORWARD -d xxx.xxx.xxx.xxx -m state --state RELATED,ESTABLISHED -j NFQUEUE --queue-num 1
iptables -A FORWARD -s xxx.xxx.xxx.xxx -j NFQUEUE --queue-num 1

Sometimes, Suricata seems drop all packet without informations in logs files.

I need to kill Suricata, then I put iptables -I FORWAD -j ACCEPT and then I restart Suricata like this:
/usr/bin/suricata -c /etc/suricata/suricata.yaml -q 1

To finish I remove the iptables rules: iptables -D FORWAD -j ACCEPT

This problems is appeared with release 4.1.3

Before with Suricata 4.1.2 I have no problem.

Is it a bug of Suricata?

Thank you

Anthony

Actions
Copy link
 #1

Updated by Anthony h about 5 years ago

For more information, I configure Suricata like this:

./configure --enable-nfqueue --with-libnss-libraries=/usr/lib --with-libnss-includes=/usr/include/nss/ --with-libnspr-libraries=/usr/include/nspr --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/ --with-libhtp-libraries=/usr/lib/ --enable-gccprotect --disable-gccmarch-native

Actions
Copy link
 #2

Updated by Andreas Herz almost 5 years ago

Do you see anything interesting at that time where you have those drops? Also look into system logs and the load of the system.
Without more details it's rather hard to tell why this happens.

Actions
Copy link
 #3

Updated by Anthony h almost 5 years ago

I have nothing in syslog or message file.

Is it possible to activate a debug in order to have more information of Suricata?

I will try with the new release 4.1.4.

Actions
Copy link
 #4

Updated by Andreas Herz almost 5 years ago

  • Assignee set to Community Ticket
  • Target version set to TBD

Yes you can run ./configure with --enable-debug as described here: https://blog.inliniac.net/2010/01/04/suricata-debugging/

Actions
Copy link
 #5

Updated by Andreas Herz about 2 years ago

  • Status changed from New to Closed

Hi, we're closing this issue since there have been no further responses.
If you think this issue is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs

Actions
Copy link

Also available in: Atom PDF