Suricata

When a pass rule specifies the SSH app-layer protocol and includes the geoip keyword, it generates false "blocked" alerts for certain packets in the SSH flow, even though the packets are correctly passed. This issue may also affect other app-layer protocols but I only tested and confirmed with SSH.

• Suricata version: 8.0.3 (same behavior in 7.0.8)
• Mode: IPS (--simulate-ips)
• GeoIP: Enabled
• Protocol tested: SSH

Steps to Reproduce:

1. Create rules file with:
   

   pass ssh any any -> any 22 (msg:"pass SSH Trafficnew"; geoip:any,US,IN; sid: 200;)
   drop ip any any -> any any (msg: "Drop established catch all"; flow:established, to_server; sid:999;)
   

2. Run Suricata in IPS mode with SSH traffic:
   

   sudo suricata --simulate-ips -c suricata.yaml -S suricata.rules -r ssh_capture.pcapng -k none
   

3. Examine fast.log and eve.json output

• Expected Behavior:
  • SSH packets should be passed (no alerts)
  • Rule 200 should match all SSH packets in the flow
  • Rule 999 should not generate alerts for passed SSH traffic

• Actual Behavior:
  • SSH packets are correctly passed (stats show "accepted":80, "blocked":0). Verified using pcap capture that it is passed correctly.
  • Alert is logged despite packet being passed.
    

         02/25/2026-18:24:39.707277  [Drop] [**] [1:999:0] Drop established catch all [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.62:52296 -> 13.233.200.203:22
    

  • eve.json false alert with "action":"blocked" for packet 16 (during SSH key exchange - "Client: New Keys")