Support #3197: suricata dropping traffic on alert - Suricata - Open Information Security Foundation

Actions

Copy link

Support #3197

closed

suricata dropping traffic on alert

Added by Daniel Vein about 5 years ago. Updated about 5 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Community Ticket

Affected Versions:

4.1.2

Label:

Description

I probably have something misconfigured but suricata seems to drop traffic on alert on inline.

fast.log

09/26/2019-20:54:36.968372 [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 192.168.1.177:59446 -> 151.101.148.204:80
09/26/2019-20:54:36.990844 [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 192.168.1.177:59448 -> 151.101.148.204:80
09/26/2019-20:55:07.022267 [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 192.168.1.177:59450 -> 151.101.148.204:80
09/26/2019-20:55:07.076369 [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 192.168.1.177:59452 -> 151.101.148.204:80
09/26/2019-20:55:37.076534 [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 192.168.1.177:59454 -> 151.101.148.204:80
09/26/2019-20:56:07.114465 [**] [1:2013504:5] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 192.168.1.177:59458 -> 151.101.148.204:80

drop.log

09/26/2019-20:54:36.968372: IN= OUT= SRC=192.168.1.177 DST=151.101.148.204 LEN=254 TOS=0x00 TTL=64 ID=633 PROTO=TCP SPT=59446 DPT=80 SEQ=851603426 ACK=2847554061 WINDOW=229 ACK PSH RES=0x00 URGP=0
09/26/2019-20:54:36.990844: IN= OUT= SRC=192.168.1.177 DST=151.101.148.204 LEN=260 TOS=0x00 TTL=64 ID=25877 PROTO=TCP SPT=59448 DPT=80 SEQ=1538132105 ACK=905718895 WINDOW=229 ACK PSH RES=0x00 URGP=0
09/26/2019-20:55:07.022267: IN= OUT= SRC=192.168.1.177 DST=151.101.148.204 LEN=254 TOS=0x00 TTL=64 ID=58507 PROTO=TCP SPT=59450 DPT=80 SEQ=2942922343 ACK=886521798 WINDOW=229 ACK PSH RES=0x00 URGP=0
09/26/2019-20:55:07.076369: IN= OUT= SRC=192.168.1.177 DST=151.101.148.204 LEN=260 TOS=0x00 TTL=64 ID=9673 PROTO=TCP SPT=59452 DPT=80 SEQ=3067195188 ACK=693107189 WINDOW=229 ACK PSH RES=0x00 URGP=0
09/26/2019-20:55:37.076534: IN= OUT= SRC=192.168.1.177 DST=151.101.148.204 LEN=262 TOS=0x00 TTL=64 ID=26244 PROTO=TCP SPT=59454 DPT=80 SEQ=4164996812 ACK=343723356 WINDOW=229 ACK PSH RES=0x00 URGP=0
09/26/2019-20:56:07.114465: IN= OUT= SRC=192.168.1.177 DST=151.101.148.204 LEN=262 TOS=0x00 TTL=64 ID=58023 PROTO=TCP SPT=59458 DPT=80 SEQ=661661500 ACK=699528539 WINDOW=229 ACK PSH RES=0x00 URGP=0

Files

suricata.yaml.txt (72.6 KB) suricata.yaml.txt

debian suricata.yaml

Daniel Vein, 10/02/2019 09:04 PM

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Support #3197

suricata dropping traffic on alert

Updated by Daniel Vein about 5 years ago

Updated by Andreas Herz about 5 years ago

Updated by Daniel Vein about 5 years ago

Updated by Daniel Vein about 5 years ago

Updated by Andreas Herz about 5 years ago