Project

General

Profile

Actions
Copy link

Bug #6726

closed
VJ VJ

stream: stream.drop-invalid drops valid traffic

Bug #6726: stream: stream.drop-invalid drops valid traffic

Added by Victor Julien about 2 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Victor Julien
Target version:
8.0.0-beta1
Affected Versions:
7.0.0, 7.0.1, 7.0.2, git main
Effort:
Difficulty:
Label:

Description

In AF_PACKET IPS mode, so in bridge mode, traffic for a simple ab test against a simple webserver fails with a timeout.

6.0.x is not affected.

Subtasks 1 (0 open1 closed)

Bug #6727: stream: stream.drop-invalid drops valid traffic (7.0.x backport)ClosedVictor JulienActions

Related issues 1 (1 open0 closed)

Related to Suricata - Feature #6794: Tie signature to live device in IPS modeIn ReviewScott JordanActions

OT Updated by OISF Ticketbot about 2 years ago Actions
Copy link
 #1

  • Subtask #6727 added

OT Updated by OISF Ticketbot about 2 years ago Actions
Copy link
 #2

  • Label deleted (Needs backport to 7.0)

VJ Updated by Victor Julien about 2 years ago Actions
Copy link
 #3

Bisected it to:

7e725c650d7d73814c1572ac8db48814b1c89333 is the first bad commit
commit 7e725c650d7d73814c1572ac8db48814b1c89333
Author: Philippe Antoine <contact@catenacyber.fr>
Date:   Thu Apr 28 09:49:38 2022 +0200

    flow: optionally use livedev for hash

    So that in a setup with different interfaces capturing different
    networks, flows do not get mixed up

    Ticket: #5270

VJ Updated by Victor Julien about 2 years ago Actions
Copy link
 #4

Confirmed that setting livedev.use-for-tracking to false makes it work again.

VJ Updated by Victor Julien about 2 years ago Actions
Copy link
 #5

  • Description updated (diff)

VJ Updated by Victor Julien about 2 years ago Actions
Copy link
 #6

  • Assignee changed from Victor Julien to OISF Dev

The work to do here is to add support for livedev tracking in IPS mode, where there will generally be 2 livedevs. One per direction.

VJ Updated by Victor Julien about 2 years ago Actions
Copy link
 #7

  • Related to Feature #6794: Tie signature to live device in IPS mode added

BM Updated by Bill Meeks about 2 years ago Actions
Copy link
 #8

Victor Julien wrote in #note-6:

The work to do here is to add support for livedev tracking in IPS mode, where there will generally be 2 livedevs. One per direction.

I don't know exactly how the livedev is obtained in the Suricata code, but when using the host stack interface in netmap mode the connection can "appear" to be using the same physical device for both endpoints. For example, the two netmap interface specs when using a host stack endpoint in FreeBSD are em0 and em0^ . Netmap's code handles interpreting and mapping those endpoints, but those values are not how some direct OS calls will return the endpoints. Those calls may return only the physical layer em0 and omit the "^" suffix that denotes a netmap host stack endpoint.

This may be something to be aware of and take into consideration in netmap mode when using livedev as part of tracking in IPS mode.

VJ Updated by Victor Julien almost 2 years ago Actions
Copy link
 #9

  • Status changed from New to In Progress
  • Assignee changed from OISF Dev to Victor Julien

VJ Updated by Victor Julien almost 2 years ago Actions
Copy link
 #10

  • Status changed from In Progress to In Review

VJ Updated by Victor Julien almost 2 years ago Actions
Copy link
 #12

  • Status changed from In Review to Resolved

VJ Updated by Victor Julien almost 2 years ago Actions
Copy link
 #13

  • Status changed from Resolved to Closed
Actions
Copy link

Also available in: PDF Atom