[Oisf-users] suricata drop action fails when eve-log output filetype is unix_stream
Vieri
rentorbuy at yahoo.com
Wed Jan 18 09:24:59 UTC 2017
Hi,
I think I might have spotted a bug, but before reporting it I'd like to post some information to this list.
I noticed that if I change ONLY the "filetype" for eve-log from default "regular" to "unix_stream", my rules' "drop" actions are not honored, even though a "drop" log message IS generated (because I have -drop:\n alerts;yes\n flows: start).
JFYI the "unix_stream" server end is a custom perl script which looks something like this:
[...]
my $socket_path = '/var/log/suricata/q0/eve.json';
[...]
my $listener = IO::Socket::UNIX->new(
Type => SOCK_STREAM,
Local => $socket_path,
Listen => SOMAXCONN,
)
or die("Can't create server socket: $!\n");
[...]
my $socket = $listener->accept()
or die("Can't accept connection: $!\n");
[...]
while ( my $line = <$socket> ) {
[...]
}
I can confirm that $line in the Perl while loop gets the expected event values.
In fact, I can see the "drop" action when making a test with, say, "asafaweb" user agent web client.
However, the packet IS NOT dropped (I'm running in inline IPS mode with NFQUEUE).
As I said before, if I revert to using "filetype: regular" (and ONLY that option is changed) then the test connection is successfully dropped as expected.
Any ideas before I report a bug?
Vieri
More information about the Oisf-users
mailing list