Bug #819
closedaf-packet ips mode rule processing bug
Description
Hi,
I'm using suricata in IPS mode between eth1 and eth2, I write a test rule to drop all udp, tcp and icmp traffic, but some TCP traffic (HTTP request, fragmented TCP packets, second fragments). I have MTU size 1514 in both interfaces, but the captured packets have size 1518!
Example:
eth1 capture:
1.116317 216.137.61.113 -> 192.168.27.5 TCP 66 http > 46366 [ACK] Seq=1 Ack=337 Win=6912 Len=0 TSval=2843579621 TSecr=516163152
1.116325 216.137.61.113 -> 192.168.27.5 TCP 1514 [TCP segment of a reassembled PDU]
1.140508 216.137.61.113 -> 192.168.27.5 TCP 1514 [TCP segment of a reassembled PDU]
1.159567 216.137.61.113 -> 192.168.27.5 TCP 2962 [TCP segment of a reassembled PDU]
1.171307 216.137.61.113 -> 192.168.27.5 HTTP 1353 HTTP/1.0 200 OK (application/javascript)
1.500951 195.56.65.78 -> 192.168.27.5 TCP 74 http > 43649 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 SACK_PERM=1 TSval=856202389 TSecr=516179290 WS=512
1.500958 195.56.65.77 -> 192.168.27.5 TCP 1514 [TCP segment of a reassembled PDU]
eth2 capture:
0.000000 216.137.61.113 -> 192.168.27.5 HTTP 1518 Continuation or non-HTTP traffic
0.623416 195.56.65.78 -> 192.168.27.5 TCP 1518 [TCP segment of a reassembled PDU]
0.694906 195.56.65.78 -> 192.168.27.5 TCP 1518 [TCP segment of a reassembled PDU]
0.924848 195.56.65.78 -> 192.168.27.5 TCP 1518 [TCP segment of a reassembled PDU]
0.963212 195.56.65.78 -> 192.168.27.5 TCP 1518 [TCP segment of a reassembled PDU]
Suricata config:
%YAML 1.1
---
outputs:
af-packet:
- interface: eth1
threads: 1
cluster-id: 99
cluster-type: cluster_flow
defrag: yes
checksum-checks: yes
use-mmap: yes
copy-mode: ips
copy-iface: eth2
- interface: eth2
threads: 1
cluster-id: 98
cluster-type: cluster_flow
defrag: yes
checksum-checks: yes
use-mmap: yes
copy-mode: ips
copy-iface: eth1
default-rule-path: /etc/suricata/rules
rule-files:
- mini.rule
action-order:
- pass
- drop
- reject
- alert
mini.rule file:
drop tcp any any -> any any (msg:"drop tcp";sid:1;)
drop udp any any -> any any (msg:"drop udp";sid:2;)
drop icmp any any -> any any (msg:"drop icmp";sid:3;)
Suricata version: 1.4.1 (debian sid version)
kernel: 3.8
Files
Updated by Victor Julien over 11 years ago
I don't understand the issue you're reporting. What is not working as you expect?
Updated by Laszlo Madarassy over 11 years ago
I wrote a simple rule to drop tcp, udp and icmp traffic, but some HTTP traffic go through.
The traffic is going from eth1 and suricata is forward to eth2.
If everything would be fine, no tcp, udp and icmp traffic will forward to eth2, but it does.
Any ideas to investigate it?
Updated by Victor Julien over 11 years ago
Can you capture some of the traffic going through? Is there anything special about it?
Updated by Laszlo Madarassy over 11 years ago
I have started tshark on eth1 and eth2 too, here is the tshark outputs, I can give you detailed captures if you need it.
Updated by Eric Leblond over 11 years ago
- Assignee set to Eric Leblond
- Priority changed from Normal to High
- Target version set to 2.0beta1
Updated by Eric Leblond over 11 years ago
- Priority changed from High to Urgent
Fix proposal here: https://github.com/inliniac/suricata/pull/385
Updated by Eric Leblond over 11 years ago
- % Done changed from 0 to 90
Fix for master-1.4: https://github.com/inliniac/suricata/pull/386
Updated by Laszlo Madarassy over 11 years ago
Thanks! Testing it now.
Eric Leblond wrote:
Fix for master-1.4: https://github.com/inliniac/suricata/pull/386
Updated by Victor Julien over 11 years ago
- Status changed from New to Closed
Merged https://github.com/inliniac/suricata/pull/385, thanks.