Support #6223
closed
HTTP/HTTP2 websites cannot be accessed; however HTTP3 can
Added by Samiux A over 1 year ago.
Updated 9 months ago.
Description
Suricata 7.0.0
AF-Packet IPS mode
HTTP/1, HTTP/2 websites cannot be accessed. However, HTTP/3 can.
HTTP/3 sites, e.g. youtube.com, thehackernews.com.
Files
Can you share your stats.log from when this happens?
Sorry, I may be making a mistake yesterday. Today, all websites cannot be accessed. I can ping and SSH can be connected.
flow.end.tcp_state.syn_sent | Total | 41
It seems that almost all tcp connections are timing out in the syn_sent state.
Can you inspect the flow logs for these sessions? See if anything interesting is logged?
Attached please find eve.json.
cat eve.json | jq -c 'select(.drop)|.drop.reason'|sort|uniq -c
1118 "flow drop"
14 "stream error"
131 "stream midstream"
I don't know the reason of the "stream error"s. To get more insight enable the stream option in the anomaly log type, and/or enable stream-events in stats.
In 7 we now default to dropping on exceptions like this. To change this you can set a liberal exception policy --set exception-policy=ignore.
The problem solved after changing the "exception-policy: auto" to "exception-policy: ignore" in suricata.yaml. Thank you.
The problem solved by setting "exception-policy: ignore" to "exception-policy: bypass". Thank you.
- Status changed from New to Closed
Closing, as the solution was with configuration.
- Tracker changed from Bug to Support
- Assignee deleted (
OISF Dev)
- Priority changed from Immediate to Normal
- Target version deleted (
TBD)
Also available in: Atom
PDF