Project

General

Profile

Actions

Task #4773

open

research: IPS behavior wrt resource limits

Added by Victor Julien 11 months ago. Updated 4 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Target version:
-
Effort:
Difficulty:
Label:

Description

When Suricata hits internal resource limits, for example the stream.reassembly.memcap, ACL type rules (drop, reject) will be bypassed as we "fail open" in this case.

As an example, due to the memcap we may fail to add the TLS client hello packet to the stream and not have the SNI available. A drop rule based on the tls.sni would then not get evaluated and the flow will default to being passed along.

Need to investigate in which cases this happens and how it can be addressed.


Subtasks 19 (4 open15 closed)

Feature #5214: ips: allow dropping of flow if stream.memcap is hitClosedVictor JulienActions
Feature #5425: ips: allow dropping of flow if stream.memcap is hit (6.0.x backport)ClosedVictor JulienActions
Feature #5215: ips: allow dropping of flow if stream.reassembly.memcap is hitClosedVictor JulienActions
Feature #5426: ips: allow dropping of flow if stream.reassembly.memcap is hit (6.0.x backport)ClosedVictor JulienActions
Feature #5216: ips: allow dropping of flow if flow.memcap is hitClosedVictor JulienActions
Feature #5427: ips: allow dropping of flow if flow.memcap is hit (6.0.x backport)ClosedVictor JulienActions
Feature #5217: ips: allow dropping of flow if applayer specific memcap is hitNewOISF DevActions
Feature #5218: ips: allow dropping of flow if applayer reaches error stateClosedVictor JulienActions
Feature #5428: ips: allow dropping of flow if applayer reaches error state (6.0.x backport)ClosedVictor JulienActions
Feature #5219: ips: add 'master switch' to enable dropping on traffic (handling) exceptionsNewOISF DevActions
Feature #5286: ips: allow dropping of packet/flow when alert queue exceededAssignedJuliana Fajardini ReichowActions
Feature #5468: ips: midstream: add "exception policy" for midstreamClosedJuliana Fajardini ReichowActions
Feature #5500: ips: midstream: add "exception policy" for midstream (6.0.x backport)ClosedJuliana Fajardini ReichowActions
Task #5475: doc: add exception policy documentationIn ReviewJuliana Fajardini ReichowActions
Task #5551: doc: add exception policy documentation (6.0.x)ClosedJuliana Fajardini ReichowActions
Feature #5503: ips: add "reject" action to exception policiesClosedJuliana Fajardini ReichowActions
Feature #5535: ips: add "reject" action to exception policies (6.0.x backport)ClosedJuliana Fajardini ReichowActions
Task #5504: exceptions: error out when invalid configuration value is passedClosedJuliana Fajardini ReichowActions
Task #5525: exceptions: error out when invalid configuration value is passed (6.0.x backport)ClosedJuliana Fajardini ReichowActions

Related issues 2 (1 open1 closed)

Related to Feature #5202: eve/drop: include drop "reason"ClosedVictor JulienActions
Related to Feature #5194: tracking: options for simulating various exceptionsIn ProgressVictor JulienActions
Actions #1

Updated by Victor Julien 11 months ago

  • Description updated (diff)
Actions #2

Updated by Victor Julien 6 months ago

  • Related to Feature #5202: eve/drop: include drop "reason" added
Actions #3

Updated by Victor Julien 6 months ago

  • Related to Feature #5194: tracking: options for simulating various exceptions added
Actions #4

Updated by Victor Julien 2 months ago

  • Subtask #5468 added
Actions #5

Updated by Victor Julien 2 months ago

  • Subtask #5475 added
Actions #6

Updated by Victor Julien about 1 month ago

  • Subtask #5503 added
Actions #7

Updated by Juliana Fajardini Reichow about 1 month ago

  • Subtask #5504 added
Actions

Also available in: Atom PDF