Project

General

Profile

Actions
Copy link

Task #4773

open
VJ VJ

research: IPS behavior wrt resource limits

Task #4773: research: IPS behavior wrt resource limits

Added by Victor Julien over 4 years ago. Updated about 1 year ago.

Status:
Assigned
Priority:
Normal
Assignee:
Victor Julien
Target version:
9.0.0-beta1
Effort:
Difficulty:
Label:

Description

When Suricata hits internal resource limits, for example the stream.reassembly.memcap, ACL type rules (drop, reject) will be bypassed as we "fail open" in this case.

As an example, due to the memcap we may fail to add the TLS client hello packet to the stream and not have the SNI available. A drop rule based on the tls.sni would then not get evaluated and the flow will default to being passed along.

Need to investigate in which cases this happens and how it can be addressed.

Subtasks 19 (2 open17 closed)

Feature #5214: ips: allow dropping of flow if stream.memcap is hitClosedVictor JulienActions
Feature #5425: ips: allow dropping of flow if stream.memcap is hit (6.0.x backport)ClosedVictor JulienActions
Feature #5215: ips: allow dropping of flow if stream.reassembly.memcap is hitClosedVictor JulienActions
Feature #5426: ips: allow dropping of flow if stream.reassembly.memcap is hit (6.0.x backport)ClosedVictor JulienActions
Feature #5216: ips: allow dropping of flow if flow.memcap is hitClosedVictor JulienActions
Feature #5427: ips: allow dropping of flow if flow.memcap is hit (6.0.x backport)ClosedVictor JulienActions
Feature #5217: ips: allow dropping of flow if applayer specific memcap is hitAssignedOISF DevActions
Feature #5218: ips: allow dropping of flow if applayer reaches error stateClosedVictor JulienActions
Feature #5428: ips: allow dropping of flow if applayer reaches error state (6.0.x backport)ClosedVictor JulienActions
Feature #5219: ips: add 'master switch' to enable dropping on traffic (handling) exceptionsClosedJuliana Fajardini ReichowActions
Feature #5286: ips: allow dropping of packet/flow when alert queue exceededAssignedJuliana Fajardini ReichowActions
Feature #5468: ips: midstream: add "exception policy" for midstreamClosedJuliana Fajardini ReichowActions
Feature #5500: ips: midstream: add "exception policy" for midstream (6.0.x backport)ClosedJuliana Fajardini ReichowActions
Task #5475: doc: add exception policy documentationClosedJuliana Fajardini ReichowActions
Task #5551: doc: add exception policy documentation (6.0.x)ClosedJuliana Fajardini ReichowActions
Feature #5503: ips: add "reject" action to exception policiesClosedJuliana Fajardini ReichowActions
Feature #5535: ips: add "reject" action to exception policies (6.0.x backport)ClosedJuliana Fajardini ReichowActions
Task #5504: exceptions: error out when invalid configuration value is passedClosedJuliana Fajardini ReichowActions
Task #5525: exceptions: error out when invalid configuration value is passed (6.0.x backport)ClosedJuliana Fajardini ReichowActions

Related issues 2 (1 open1 closed)

Related to Suricata - Feature #5202: eve/drop: include drop "reason"ClosedVictor JulienActions
Related to Suricata - Feature #5194: tracking: options for simulating various exceptionsIn ProgressVictor JulienActions

VJ Updated by Victor Julien over 4 years ago Actions
Copy link
 #1

  • Description updated (diff)

VJ Updated by Victor Julien about 4 years ago Actions
Copy link
 #2

  • Related to Feature #5202: eve/drop: include drop "reason" added

VJ Updated by Victor Julien about 4 years ago Actions
Copy link
 #3

  • Related to Feature #5194: tracking: options for simulating various exceptions added

VJ Updated by Victor Julien over 3 years ago Actions
Copy link
 #4

  • Subtask #5468 added

VJ Updated by Victor Julien over 3 years ago Actions
Copy link
 #5

  • Subtask #5475 added

VJ Updated by Victor Julien over 3 years ago Actions
Copy link
 #6

  • Subtask #5503 added

JF Updated by Juliana Fajardini Reichow over 3 years ago Actions
Copy link
 #7

  • Subtask #5504 added

VJ Updated by Victor Julien over 3 years ago Actions
Copy link
 #8

  • Status changed from New to Assigned
  • Assignee set to Victor Julien
  • Target version set to 8.0.0-beta1

VJ Updated by Victor Julien about 1 year ago Actions
Copy link
 #9

  • Target version changed from 8.0.0-beta1 to 9.0.0-beta1
Actions
Copy link

Also available in: PDF Atom