Support #6223
closedHTTP/HTTP2 websites cannot be accessed; however HTTP3 can
Description
Suricata 7.0.0
AF-Packet IPS mode
HTTP/1, HTTP/2 websites cannot be accessed. However, HTTP/3 can.
HTTP/3 sites, e.g. youtube.com, thehackernews.com.
Files
Updated by Victor Julien over 1 year ago
Can you share your stats.log from when this happens?
Updated by Victor Julien over 1 year ago
flow.end.tcp_state.syn_sent | Total | 41
It seems that almost all tcp connections are timing out in the syn_sent state.
Can you inspect the flow logs for these sessions? See if anything interesting is logged?
Updated by Victor Julien over 1 year ago
cat eve.json | jq -c 'select(.drop)|.drop.reason'|sort|uniq -c
1118 "flow drop"
14 "stream error"
131 "stream midstream"
I don't know the reason of the "stream error"s. To get more insight enable the stream option in the anomaly log type, and/or enable stream-events in stats.
In 7 we now default to dropping on exceptions like this. To change this you can set a liberal exception policy --set exception-policy=ignore.
Updated by Samiux A over 1 year ago
The problem solved after changing the "exception-policy: auto" to "exception-policy: ignore" in suricata.yaml. Thank you.
Updated by Samiux A over 1 year ago
However, I find at least the following websites cannot be accessed. I do not know the reason. Any idea?
Updated by Samiux A over 1 year ago
The problem solved by setting "exception-policy: ignore" to "exception-policy: bypass". Thank you.
Updated by Juliana Fajardini Reichow 7 months ago
- Status changed from New to Closed
Closing, as the solution was with configuration.
Updated by Victor Julien 7 months ago
- Tracker changed from Bug to Support
- Assignee deleted (
OISF Dev) - Priority changed from Immediate to Normal
- Target version deleted (
TBD)