Project

General

Profile

Actions
Copy link

Task #5510

open

stream (midstream): investigate - Suri drops flow but still logs second packet of the flow

Added by Juliana Fajardini Reichow 9 months ago. Updated 6 months ago.

Status:
New
Priority:
Normal
Assignee:
Juliana Fajardini Reichow
Target version:
8.0.0-beta1
Effort:
Difficulty:
Label:

Description

In IPS mode with stream.midstream=true, if we have a flow that is first seen
in ACK state by Suri and matches against a drop rule, Suri correctly drops the
flow, but still logs an applayer event for the second packet.

Investigated and was able to reproduce this with HTTP and SMB protos. Will add
an SV test to demonstrate.

I noticed this while working on an exception policy for midstream (#5468),
and was able to reproduce on a clean master branch as well.

Related issues 1 (1 open0 closed)

Related to Bug #5802: ips: txs still logged for dropped flowAssignedVictor JulienActions
Actions
Copy link
 #2

Updated by Juliana Fajardini Reichow 6 months ago

  • Target version changed from TBD to 8.0.0-beta1
Actions
Copy link
 #3

Updated by Juliana Fajardini Reichow 4 months ago

  • Related to Bug #5802: ips: txs still logged for dropped flow added
Actions
Copy link

Also available in: Atom PDF