Project

General

Profile

Actions
Copy link

Bug #5802

closed
JF VJ

ips: txs still logged for dropped flow

Bug #5802: ips: txs still logged for dropped flow

Added by Juliana Fajardini Reichow over 3 years ago. Updated almost 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Victor Julien
Target version:
7.0.0-rc2
Affected Versions:
Effort:
Difficulty:
Label:

Description

This is likely an issue just with UDP traffic.

If a flow is dropped, we still see app-layer output associated with that flow.

There are still some unknowns/ aspects to confirm - could this happen with TCP? Is this just an output issue, or are we actually not totally dropping the flow?

Expected behavior:
If Suri drops an entire flow, we want the engine to:
- mark all associated transactions for that flow as completed
- log, in the respective drop event, the relevant info for the associated transaction
- stop detection and inspection work on that flow, once the drop(s) is processed.

Subtasks 1 (0 open1 closed)

Bug #6113: ips: txs still logged for dropped flow (6.0.x backport)ClosedVictor JulienActions

Related issues 2 (0 open2 closed)

Related to Suricata - Task #5510: stream (midstream): investigate - Suri drops flow but still logs second packet of the flowClosedOISF DevActions
Related to Suricata - Task #5807: detect: convert suitable tests to suricata-verify onesClosedJuliana Fajardini ReichowActions

JF Updated by Juliana Fajardini Reichow over 3 years ago Actions
Copy link
 #1

  • Related to Task #5510: stream (midstream): investigate - Suri drops flow but still logs second packet of the flow added

JF Updated by Juliana Fajardini Reichow over 3 years ago Actions
Copy link
 #2

#5510 may or may not be related, also something to better investigate.

JF Updated by Juliana Fajardini Reichow over 3 years ago Actions
Copy link
 #3

  • Subject changed from Suricata keeps logging app-layer events after flow is dropped to ips: txs still logged for dropped flow

JF Updated by Juliana Fajardini Reichow over 3 years ago Actions
Copy link
 #4

  • Target version changed from 7.0.0-rc1 to 7.0.0-rc2

JF Updated by Juliana Fajardini Reichow over 3 years ago Actions
Copy link
 #5

  • Status changed from New to In Progress

JF Updated by Juliana Fajardini Reichow over 3 years ago Actions
Copy link
 #6

  • Subtask #5807 added

JF Updated by Juliana Fajardini Reichow about 3 years ago Actions
Copy link
 #7

Currently stale, but first draft PR: https://github.com/OISF/suricata/pull/8391

VJ Updated by Victor Julien almost 3 years ago Actions
Copy link
 #8

  • Status changed from In Progress to Assigned
  • Assignee changed from Juliana Fajardini Reichow to Victor Julien

VJ Updated by Victor Julien almost 3 years ago Actions
Copy link
 #9

  • Subtask deleted (#5807)

VJ Updated by Victor Julien almost 3 years ago Actions
Copy link
 #10

  • Related to Task #5807: detect: convert suitable tests to suricata-verify ones added

VJ Updated by Victor Julien almost 3 years ago Actions
Copy link
 #11

  • Priority changed from Normal to High

VJ Updated by Victor Julien almost 3 years ago Actions
Copy link
 #12

  • Status changed from Assigned to In Progress

VJ Updated by Victor Julien almost 3 years ago Actions
Copy link
 #13

  • Status changed from In Progress to In Review
  • Label Needs backport to 6.0 added

OT Updated by OISF Ticketbot almost 3 years ago Actions
Copy link
 #14

  • Subtask #6113 added

OT Updated by OISF Ticketbot almost 3 years ago Actions
Copy link
 #15

  • Label deleted (Needs backport to 6.0)

VJ Updated by Victor Julien almost 3 years ago Actions
Copy link
 #16

  • Status changed from In Review to Resolved

VJ Updated by Victor Julien almost 3 years ago Actions
Copy link
 #17

  • Status changed from Resolved to Closed
Actions
Copy link

Also available in: PDF Atom