Bug #5802
closed
ips: txs still logged for dropped flow
Added by Juliana Fajardini Reichow over 1 year ago.
Updated 11 months ago.
Description
This is likely an issue just with UDP traffic.
If a flow is dropped, we still see app-layer output associated with that flow.
There are still some unknowns/ aspects to confirm - could this happen with TCP? Is this just an output issue, or are we actually not totally dropping the flow?
Expected behavior:
If Suri drops an entire flow, we want the engine to:
- mark all associated transactions for that flow as completed
- log, in the respective drop event, the relevant info for the associated transaction
- stop detection and inspection work on that flow, once the drop(s) is processed.
- Related to Task #5510: stream (midstream): investigate - Suri drops flow but still logs second packet of the flow added
#5510 may or may not be related, also something to better investigate.
- Subject changed from Suricata keeps logging app-layer events after flow is dropped to ips: txs still logged for dropped flow
- Target version changed from 7.0.0-rc1 to 7.0.0-rc2
- Status changed from New to In Progress
- Status changed from In Progress to Assigned
- Assignee changed from Juliana Fajardini Reichow to Victor Julien
- Related to Task #5807: detect: convert suitable tests to suricata-verify ones added
- Priority changed from Normal to High
- Status changed from Assigned to In Progress
- Status changed from In Progress to In Review
- Label Needs backport to 6.0 added
- Label deleted (
Needs backport to 6.0)
- Status changed from In Review to Resolved
- Status changed from Resolved to Closed
Also available in: Atom
PDF