Project

General

Profile

Actions
Copy link

Security #5571

closed
VJ

ips: encapsulated packet logged as dropped, but not actually dropped

Security #5571: ips: encapsulated packet logged as dropped, but not actually dropped

Added by Anonymous over 3 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Victor Julien
Target version:
7.0.0-beta1
Affected Versions:
6.0.8
Label:
CVE:
Git IDs:
Severity:
HIGH
Disclosure Date:

Description

We just upgraded from Suricata 6.0.6 setup in IPS with NFQUEUE to Suricata 6.0.8 with the same setup.

We have a drop rule in place (same rule since 6.0.6).

When we initiate traffic from the Suricata instance itself to the site that match the drop rule we get the following (correct) behavior:
  1. fast.log logs the drop entry
  2. The traffic is actually dropped
When we initiate traffic from outside the Suricata (and traffic flows through the Suricata) we see the following behavior:
  1. fast.log logs the drop entry
  2. The traffic is NOT dropped

Subtasks 1 (0 open1 closed)

Security #5600: ips: encapsulated packet logged as dropped, but not actually dropped (6.0.x backport)ClosedVictor JulienActions

Related issues 1 (0 open1 closed)

Related to Suricata - Bug #5633: Pass rules on 6.0.8 are generating alert events when passing tunneled trafficClosedVictor JulienActions
Actions
Copy link

Also available in: PDF Atom