[Oisf-users] Inline IPS with NFQUEUE, mysql server FIN packet got dropped

[zhao.li at verizon.com]

Hi,

We're using Suricata as inline IPS in our environment with iptable NFQUEUE rule setup.
At this point we do not have any rule with "drop" action, all of them are "alert" only.

But we have seen an issue where packet didn't make it from server to remote client even without "drop" action, to be specific:

  *   We have a mysql server and we're using curl as client from external host to send an request to mysql.
  *   Without suricata, traffic went through just fine: connection established between client and server, and because client is NOT sending an actual query, server close the conn by sending FIN, and client FIN back.
  *   With suricata enable and sit in the middle, connection established fine (client SYN, server SYN ACK, data packet exchanged etc.), but when server try to close the connection and sending the FIN, this particular packet is not make it way to client, causing client side connection hangs.
  *   Checked /proc/net/netfilter/nfnetlink_queue, both dropped counter shows zero. However, as stated before, if bypass NFQUEUE and suricata, FIN packet reach client without any issue.

Trying to figure out how possible this could go wrong, any help is much appreciated.

Thanks,
Zhao
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170227/68285496/attachment.html>