[Oisf-users] Packet not dropped?
Giuseppe Longo
lists at glongo.it
Sun Dec 2 20:25:28 UTC 2018
Hello,
> Il giorno 1 dic 2018, alle ore 21:06, James Moe <jimoe at sohnen-moe.com> ha scritto:
>
> On 28/11/2018 12.54 PM, Giuseppe Longo wrote:
>
>>> Chain OUTPUT (policy ACCEPT)
>>> target prot opt source destination
>>> NFQUEUE all -- anywhere anywhere NFQUEUE
>>> num 0 bypass
>>
>> Ok, looks correct.
>> Would you be able to generate a pcap and send it?
>>
> For the instance:
> 12/01/2018-12:45:33.386511 [Drop] [**] [1:2260002:1] SURICATA Applayer
> Detect protocol only one direction [**] [Classification: Generic
> Protocol Command Decode] [Priority: 3] {TCP} 190.64.84.98:47029 ->
> 192.168.69.246:25
>
> The PCAP filtered for IP.addr = 190.64.84.98:
> https://www.dropbox.com/s/6ydhzr6vo5to566/suricata-rule-2260002.pcapng?dl=0 <https://www.dropbox.com/s/6ydhzr6vo5to566/suricata-rule-2260002.pcapng?dl=0>
'DROP: FALSE’ in alert-debug.log means that actually the _flow_ is not dropped.
Technically speaking, FLOW_ACTION_DROP flag is not set when your rule is
matching but the packet itself is dropped as you can see in your alert event
In eve.json ("action":”blocked”).
I think looking at ips.blocked counter is stats.log should confirm too.
The flow/stream is dropped when the drop action is triggered from the IP-only
module, or from a reassembled msg and/or from an applayer detection. (stream-tcp.c:4728)
At the end, everything should be fine. The packet is dropped and it is correct to see
‘drop:false’ in alert-debug.log. (if I’m not wrong.)
Giuseppe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181202/0f03aae7/attachment.html>
More information about the Oisf-users
mailing list