Project

General

Profile

Actions

Bug #5867

closed

false-positive drop event_types possible on passed packets

Added by Alex Kulikov about 1 year ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

If both 'pass' and 'dop' rules apply to the same packet/flow, the packet is passed, but the drop log may contain an entry about the packet being dropped.
Example rules:
pass tcp 172.17.1.0/24 any → any 225 (msg:“PASS LOCAL NET Port 225::no flags::flow to_server::no thresholds”; flow:to_server; classtype:misc-activity; sid:1000100; rev:1; metadata:created_at 2023_02_07, updated_at 2023_02_07;)

and

drop tcp 172.17.1.0/24 any → any 225 (msg:“DROP LOCAL NET Port 225::no flags::flow established to_server::no thresholds”; flow:to_server,established; classtype:misc-activity; sid:1000101; rev:1; metadata:created_at 2023_02_07, updated_at 2023_02_07;)

session on port 225 will work, but the eve-log (with drop log enabled) will show messages like: {“timestamp”:“2023-02-15T18:49:10.169185+0000”,“flow_id”:662827960784155,“in_iface”:“hn0”,“event_type”:“drop”,“src_ip”:“172.17.1.80”,“src_port”:1709,“dest_ip”:“172.17.1.105”,“dest_port”:225,“proto”:“TCP”,“drop”:{“len”:40,“tos”:0,“ttl”:127,“ipid”:27476,“tcpseq”:1500042227,“tcpack”:1787298342,“tcpwin”:65252,“syn”:false,“ack”:true,“psh”:false,“rst”:false,“urg”:false,“fin”:false,“tcpres”:0,“tcpurgp”:0},“alert”:{“action”:“blocked”,“gid”:1,“signature_id”:1000101,“rev”:1,“signature”:“DROP LOCAL NET Port 225::no flags::flow established to_server::no thresholds”,“category”:“Misc activity”,“severity”:3}}

without 'alert' event_type messages

seems to have originated somewhere between 6.0.5 and 6.0.9
ref. https://forum.suricata.io/t/drop-log-false-positive-records-possible-since-6-0-6/3228

Thanks!


Subtasks 1 (0 open1 closed)

Bug #5888: false-positive drop event_types possible on passed packets (6.0.x backport)ClosedVictor JulienActions
Actions #1

Updated by Victor Julien about 1 year ago

Can you try 6.0.10?

Actions #2

Updated by Alex Kulikov about 1 year ago

Victor Julien wrote in #note-1:

Can you try 6.0.10?

unfortunately no. freebsd port is still on 6.0.9. and it does not look like #5806 if we're talking about that (no 'midstream=true && stream.midstream-policy=drop-flow' in config)

Actions #3

Updated by Juliana Fajardini Reichow about 1 year ago

  • Assignee changed from OISF Dev to Juliana Fajardini Reichow
Actions #4

Updated by Victor Julien about 1 year ago

  • Status changed from New to Assigned
  • Target version changed from TBD to 7.0.0-rc2
  • Label Needs backport to 6.0 added
Actions #5

Updated by OISF Ticketbot about 1 year ago

  • Subtask #5888 added
Actions #6

Updated by OISF Ticketbot about 1 year ago

  • Label deleted (Needs backport to 6.0)
Actions #8

Updated by Victor Julien about 1 year ago

Merged https://github.com/OISF/suricata/pull/8625, can you check if that addresses your case as well @Juliana Fajardini Reichow

Actions #9

Updated by Juliana Fajardini Reichow about 1 year ago

  • Assignee changed from Juliana Fajardini Reichow to Victor Julien

Assigning to Victor, as he worked on it.

Actions #10

Updated by Alex Kulikov about 1 year ago

Victor Julien wrote in #note-8:

Merged https://github.com/OISF/suricata/pull/8625, can you check if that addresses your case as well @Juliana Fajardini Reichow

https://github.com/OISF/suricata/pull/8625/commits/09348564f032ad61811d2a77aecc1d0472f4a656 looks great.
I hope this gets backported.
thanks!!

Actions #11

Updated by Juliana Fajardini Reichow about 1 year ago

Alex Kulikov wrote in #note-10:

Victor Julien wrote in #note-8:

Merged https://github.com/OISF/suricata/pull/8625, can you check if that addresses your case as well @Juliana Fajardini Reichow

https://github.com/OISF/suricata/pull/8625/commits/09348564f032ad61811d2a77aecc1d0472f4a656 looks great.
I hope this gets getported.
thanks!!

Sorry for the late reply. This makes https://github.com/OISF/suricata-verify/pull/1151 pass.

Actions #12

Updated by Victor Julien about 1 year ago

  • Status changed from Assigned to Closed
Actions

Also available in: Atom PDF