Project

General

Profile

Actions
Copy link

Security #5571

closed
VJ

ips: encapsulated packet logged as dropped, but not actually dropped

Security #5571: ips: encapsulated packet logged as dropped, but not actually dropped

Added by Anonymous over 3 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Victor Julien
Target version:
7.0.0-beta1
Affected Versions:
6.0.8
Label:
CVE:
Git IDs:
Severity:
HIGH
Disclosure Date:

Description

We just upgraded from Suricata 6.0.6 setup in IPS with NFQUEUE to Suricata 6.0.8 with the same setup.

We have a drop rule in place (same rule since 6.0.6).

When we initiate traffic from the Suricata instance itself to the site that match the drop rule we get the following (correct) behavior:
  1. fast.log logs the drop entry
  2. The traffic is actually dropped
When we initiate traffic from outside the Suricata (and traffic flows through the Suricata) we see the following behavior:
  1. fast.log logs the drop entry
  2. The traffic is NOT dropped

Subtasks 1 (0 open1 closed)

Security #5600: ips: encapsulated packet logged as dropped, but not actually dropped (6.0.x backport)ClosedVictor JulienActions

Related issues 1 (0 open1 closed)

Related to Suricata - Bug #5633: Pass rules on 6.0.8 are generating alert events when passing tunneled trafficClosedVictor JulienActions

Updated by Anonymous over 3 years ago Actions
Copy link
 #1

I wanted to mention that when the traffic is initiated from outside the Suricata; we use geneve encapsulation.
This is on ubuntu 20.04.

After reverting back to 6.0.6, everything works again as expected.

JF Updated by Juliana Fajardini Reichow over 3 years ago Actions
Copy link
 #2

  • Assignee changed from OISF Dev to Juliana Fajardini Reichow

TC Updated by Travers Carter over 3 years ago Actions
Copy link
 #3

We are seeing the same thing on Amazon Linux 2, GENEVE encapsulated traffic from an AWS Gateway Load Balancer is not dropped even when matched/logged as such on v6.0.8, but it is after downgrading back to v6.0.6.

On v6.0.8 locally initiated traffic is dropped when it matches a drop rule, it's only the GENEVE traffic that isn't.

This is on Amazon Linux 2 using the RPM packages from https://copr.fedorainfracloud.org/coprs/g/oisf/suricata-latest/

VJ Updated by Victor Julien over 3 years ago Actions
Copy link
 #4

  • Status changed from New to Assigned
  • Priority changed from Normal to High
  • Target version changed from TBD to 6.0.9

VJ Updated by Victor Julien over 3 years ago Actions
Copy link
 #5

  • Status changed from Assigned to In Progress
  • Assignee changed from Juliana Fajardini Reichow to Victor Julien
  • Target version changed from 6.0.9 to 7.0.0-beta1
  • Label Needs backport to 6.0 added

VJ Updated by Victor Julien over 3 years ago Actions
Copy link
 #6

  • Subject changed from Suricata in IPS mode with NFQUEUE we can see the DROP in fast.log but the packet still goes through to ips: encapsulated packet logged as dropped, but not actually dropped
  • Status changed from In Progress to In Review

VJ Updated by Victor Julien over 3 years ago Actions
Copy link
 #7

  • Status changed from In Review to Resolved

SB Updated by Shivani Bhardwaj over 3 years ago Actions
Copy link
 #8

  • Subtask #5600 added

SB Updated by Shivani Bhardwaj over 3 years ago Actions
Copy link
 #9

  • Label deleted (Needs backport to 6.0)

VJ Updated by Victor Julien over 3 years ago Actions
Copy link
 #10

  • Related to Bug #5633: Pass rules on 6.0.8 are generating alert events when passing tunneled traffic added

VJ Updated by Victor Julien over 3 years ago Actions
Copy link
 #11

  • Status changed from Resolved to Closed

VJ Updated by Victor Julien over 3 years ago Actions
Copy link
 #12

  • Tracker changed from Bug to Security
  • Severity set to HIGH
Actions
Copy link

Also available in: PDF Atom