Bug #6976
openflow/action: not always updated?
Description
Not sure if a bug or if expected, but as seen in SV test ips-state-1
(updated here: https://github.com/OISF/suricata-verify/pull/1781),
when we have a TLS
flow with a drop rule, Suricata will drop all packets as expected but doesn't set flow.action
to drop.
Looking at the stats, I notice that Suricata sees 2 HTTP
transactions, but no TLS
one. Could somehow be that the flow.action
is only set when there is an
associated transaction?
----------------
Current test: https://github.com/OISF/suricata-verify/tree/master/tests/ips-state-1
----------------
Test scenario:
rules:
pass tcp $HOME_NET any -> $EXTERNAL_NET 80 (sid:1;)
drop ip any any -> any any (msg:"DROP ALL"; flow:stateless; sid:2;)
traffic:
pcap contains 3 flows, 2 HTTP, and one TLS.
Flows are passed and dropped as expected, but the TLS one that is dropped doesn't show flow.action: drop
in the EVE log.
The passed HTTP flows do show flow.action: pass
.
No data to display