Project

General

Profile

Task #4773

Updated by Victor Julien about 3 years ago

When Suricata hits internal resource limits, for example the @stream.reassembly.memcap@, ACL type rules (@drop@, @reject@) will be bypassed as we "fail open" in this case. 

 As an example, due to the memcap we may fail to add miss the TLS client hello packet to the stream and not have the SNI available. A drop rule based on the @tls.sni@ would then not get evaluated and the flow will default to being passed along. 

 Need to investigate in which cases this happens and how it can be addressed.

Back