Task #4773
Updated by Victor Julien over 2 years ago
When Suricata hits internal resource limits, for example the @stream.reassembly.memcap@, ACL type rules (@drop@, @reject@) will be bypassed as we "fail open" in this case. As an example, due to the memcap we may fail to add miss the TLS client hello packet to the stream and not have the SNI available. A drop rule based on the @tls.sni@ would then not get evaluated and the flow will default to being passed along. Need to investigate in which cases this happens and how it can be addressed.