Actions
Bug #6223
openHTTP/HTTP2 websites cannot be accessed; however HTTP3 can
Affected Versions:
Effort:
Difficulty:
Label:
Description
Suricata 7.0.0
AF-Packet IPS mode
HTTP/1, HTTP/2 websites cannot be accessed. However, HTTP/3 can.
HTTP/3 sites, e.g. youtube.com, thehackernews.com.
Files
Updated by Victor Julien 9 months ago
Can you share your stats.log
from when this happens?
Updated by Victor Julien 9 months ago
flow.end.tcp_state.syn_sent | Total | 41
It seems that almost all tcp connections are timing out in the syn_sent state.
Can you inspect the flow logs for these sessions? See if anything interesting is logged?
Updated by Victor Julien 9 months ago
cat eve.json | jq -c 'select(.drop)|.drop.reason'|sort|uniq -c 1118 "flow drop" 14 "stream error" 131 "stream midstream"
I don't know the reason of the "stream error"s. To get more insight enable the stream option in the anomaly log type, and/or enable stream-events in stats.
In 7 we now default to dropping on exceptions like this. To change this you can set a liberal exception policy --set exception-policy=ignore
.
Actions