[Oisf-users] Packet not dropped?

Giuseppe Longo lists at glongo.it
Sun Dec 2 20:25:28 UTC 2018


> Il giorno 1 dic 2018, alle ore 21:06, James Moe <jimoe at sohnen-moe.com> ha scritto:
> On 28/11/2018 12.54 PM, Giuseppe Longo wrote:
>>> Chain OUTPUT (policy ACCEPT)
>>> target     prot opt source               destination
>>> NFQUEUE    all  --  anywhere             anywhere             NFQUEUE
>>> num 0 bypass
>> Ok, looks correct.
>> Would you be able to generate a pcap and send it?
>  For the instance:
> 12/01/2018-12:45:33.386511  [Drop] [**] [1:2260002:1] SURICATA Applayer
> Detect protocol only one direction [**] [Classification: Generic
> Protocol Command Decode] [Priority: 3] {TCP} ->
> The PCAP filtered for IP.addr =
> https://www.dropbox.com/s/6ydhzr6vo5to566/suricata-rule-2260002.pcapng?dl=0 <https://www.dropbox.com/s/6ydhzr6vo5to566/suricata-rule-2260002.pcapng?dl=0>

'DROP: FALSE’ in alert-debug.log means that actually the _flow_ is not dropped.
Technically speaking, FLOW_ACTION_DROP flag is not set when your rule is 
matching but the packet itself is dropped as you can see in your alert event
In eve.json ("action":”blocked”).
I think looking at ips.blocked counter is stats.log should confirm too.

The flow/stream is dropped when the drop action is triggered from the IP-only
module, or from a reassembled msg and/or from an applayer detection. (stream-tcp.c:4728)

At the end, everything should be fine. The packet is dropped and it is correct to see
‘drop:false’ in alert-debug.log. (if I’m not wrong.)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181202/0f03aae7/attachment.html>

More information about the Oisf-users mailing list