Suricata

In Suricata 8.0.3, the firewall modes rule engine is able to parse and accept iprep rules that are configured correctly, however it does not seem to functionally match on them correctly. I have attached the artifacts for a suricata-verify test I would expect to pass. Input.pcap is just a simple 10 packet http get request to 82.165.177.154.

The following rules -

# Packet rules

accept:hook tcp:all any any -> any any (sid:100;)
# default drop

drop:flow http1:request_line any any -> any any (sid:999; alert; iprep:dst,test,>,0;)

I would expect to drop the flow at packet 4. This would mean 1 drop event and then the stats log showing that there was 3 packets accepted (handshake packets allowed by accept:hook on tcp:all) and then 7 dropped by the drop:flow rule utilizing iprep.

To be extra sure about this behavior, I set up the same test manually by starting up suricata in af-packet mode and replaying the pcap on a TX interface into suricata. I could see that all the packets were allowed through even though the rule, per my understanding, should match and drop.

This ticket to request support for iprep in firewall mode rules.