[Oisf-users] [E] Re: Inline IPS with NFQUEUE, mysql server FIN packet got dropped

zhao.li at verizon.com zhao.li at verizon.com
Mon Mar 20 15:54:24 UTC 2017

Hi Andreas, 

Sorry for the late response, just got a chance to get back on this issue.
I did check stats.log, which shows exactly what has been mentioned in the
ticket: ips.blocked counter is increasing.

As mentioned in the ticket, this is caused by "a faulty configuration
(only one part of the connection was send into the NFQUEUE)², I¹d like to
understand further:
We have NFQUEUE rules in both INPUT chain and OUTPUT chain (on all
packets, for testing), how come ³only one part of the connection was send
to NFQ²?

Btw, Suricata version we¹re running is 3.2.


On 3/1/17, 4:25 PM, "Oisf-users on behalf of Andreas Herz"
<oisf-users-bounces at lists.openinfosecfoundation.org on behalf of
andi at geekosphere.org> wrote:

>On 27/02/17 at 15:58, zhao.li at verizon.com wrote:
>> We're using Suricata as inline IPS in our environment with iptable
>>NFQUEUE rule setup.
>> At this point we do not have any rule with "drop" action, all of them
>>are "alert" only.
>> But we have seen an issue where packet didn't make it from server to
>>remote client even without "drop" action, to be specific:
>Since the connection itself works I guess you made sure that all the
>packets are going into the NFQUEUE?
>Can you look into the stats.log? We have some cases within the code that
>also drops packets. See
>Also add some information like suricata version etc.
>Andreas Herz
>Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

More information about the Oisf-users mailing list