[Oisf-users] suricata drop action fails when eve-log output filetype is unix_stream

[Vieri]

Hi,

I think I might have spotted a bug, but before reporting it I'd like to post some information to this list.

I noticed that if I change ONLY the "filetype" for eve-log from default "regular" to "unix_stream", my rules' "drop" actions are not honored, even though a "drop" log message IS generated (because I have -drop:\n alerts;yes\n flows: start).

JFYI the "unix_stream" server end is a custom perl script which looks something like this:

[...]
my $socket_path = '/var/log/suricata/q0/eve.json';
[...]
my $listener = IO::Socket::UNIX->new(
Type   => SOCK_STREAM,
Local  => $socket_path,
Listen => SOMAXCONN,
)
or die("Can't create server socket: $!\n");
[...]
my $socket = $listener->accept()
or die("Can't accept connection: $!\n");
[...]
while ( my $line = <$socket> ) {
[...]
}

I can confirm that $line in the Perl while loop gets the expected event values.
In fact, I can see the "drop" action when making a test with, say, "asafaweb" user agent web client.
However, the packet IS NOT dropped (I'm running in inline IPS mode with NFQUEUE).

As I said before, if I revert to using "filetype: regular" (and ONLY that option is changed) then the test connection is successfully dropped as expected.

Any ideas before I report a bug?

Vieri