[Oisf-users] [E] Re: Inline IPS with NFQUEUE, mysql server FIN packet got dropped

[Andreas Herz]

On 20/03/17 at 15:54, zhao.li at verizon.com wrote:
> Sorry for the late response, just got a chance to get back on this issue.
> I did check stats.log, which shows exactly what has been mentioned in the
> ticket: ips.blocked counter is increasing.

This can happen with other invalid traffic as well, so it might be
another issue with the traffic.

> As mentioned in the ticket, this is caused by "a faulty configuration
> (only one part of the connection was send into the NFQUEUE)², I¹d like to
> understand further:
> We have NFQUEUE rules in both INPUT chain and OUTPUT chain (on all
> packets, for testing), how come ³only one part of the connection was send
> to NFQ²?

Depending on your setup it might be also important to do that within the
FORWARD chain. But you might use TRACE target or logging prior to the
NFQUEUE target to see if really all the relevant packets enter Suricata.

-- 
Andreas Herz