Project

General

Profile

Actions

Support #6223

closed

HTTP/HTTP2 websites cannot be accessed; however HTTP3 can

Added by Samiux A 11 months ago. Updated about 2 months ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Affected Versions:
Label:

Description

Suricata 7.0.0
AF-Packet IPS mode

HTTP/1, HTTP/2 websites cannot be accessed. However, HTTP/3 can.

HTTP/3 sites, e.g. youtube.com, thehackernews.com.


Files

stats.log (195 KB) stats.log Samiux A, 07/21/2023 05:18 AM
eve.json (1.14 MB) eve.json Samiux A, 07/22/2023 01:01 AM
Actions #1

Updated by Victor Julien 11 months ago

Can you share your stats.log from when this happens?

Actions #2

Updated by Samiux A 11 months ago

Sorry, I may be making a mistake yesterday. Today, all websites cannot be accessed. I can ping and SSH can be connected.

Actions #3

Updated by Victor Julien 11 months ago

flow.end.tcp_state.syn_sent                   | Total                     | 41

It seems that almost all tcp connections are timing out in the syn_sent state.

Can you inspect the flow logs for these sessions? See if anything interesting is logged?

Actions #4

Updated by Samiux A 11 months ago

How to do that?

Actions #5

Updated by Samiux A 11 months ago

Attached please find eve.json.

Actions #6

Updated by Victor Julien 11 months ago

cat eve.json | jq -c 'select(.drop)|.drop.reason'|sort|uniq -c
   1118 "flow drop" 
     14 "stream error" 
    131 "stream midstream" 

I don't know the reason of the "stream error"s. To get more insight enable the stream option in the anomaly log type, and/or enable stream-events in stats.

In 7 we now default to dropping on exceptions like this. To change this you can set a liberal exception policy --set exception-policy=ignore.

Actions #7

Updated by Samiux A 11 months ago

The problem solved after changing the "exception-policy: auto" to "exception-policy: ignore" in suricata.yaml. Thank you.

Actions #8

Updated by Samiux A 11 months ago

However, I find at least the following websites cannot be accessed. I do not know the reason. Any idea?

https://dotdotnews.com/
https://www.bochk.com/tc/home.html

Actions #9

Updated by Samiux A 11 months ago

The problem solved by setting "exception-policy: ignore" to "exception-policy: bypass". Thank you.

Actions #10

Updated by Juliana Fajardini Reichow about 2 months ago

  • Status changed from New to Closed

Closing, as the solution was with configuration.

Actions #11

Updated by Victor Julien about 2 months ago

  • Tracker changed from Bug to Support
  • Assignee deleted (OISF Dev)
  • Priority changed from Immediate to Normal
  • Target version deleted (TBD)
Actions

Also available in: Atom PDF