Hello,
I feel I get this problem with every major version upgrade of suricata. As soon as suricata starts, all traffic is blocked, except the wireguard interface.
Suricata is listening on the physical interfaces igb0 (Modem) and igb1 (LAN). Network cards are Intel i211-AT.
Any suggestions, is it driver issue? netmap issue?
OPNsense 23.7.r_14-amd64
FreeBSD 13.2-RELEASE-p1
OpenSSL 1.1.1u 30 May 2023
Second question, why is the file /usr/local/www/ntpd.core 1.0G? (Timestamp 2020)
Cheers
After starting suricata, eve.json basically gets spammed with "stream midstream" drops. Cant figure out which rule this should be.
{"timestamp":"2023-07-23T00:47:17.579664+0200","flow_id":1645215458582628,"in_iface":"igb0","event_type":"drop","src_ip":"216.xx.xx.xx","src_port":443,"dest_ip":"192.xx.xx.xx","dest_port":9817,"proto":"TCP","pk t_src":"wire/pcap","direction":"to_server","drop":{"len":60,"tos":128,"ttl":124,"ipid":0,"tcpseq":3264133184,"tcpack":555486239,"tcpwin":65535,"syn":true,"ack":true,"psh":false,"rst":false,"urg":false,"fin":false, "tcpres":0,"tcpurgp":0,"reason":"stream midstream"}}
ICMP/PING still works so must be related to some rules, which I cant figure out yet.
custom.yaml:
stream.midstream-policy: ignore
https://forum.suricata.io/t/blocking-traffic-after-upgrade/3744
https://forum.suricata.io/t/my-traffic-gets-blocked-after-upgrading-to-suricata-7/3745
Inspecting why traffic is dropped
If your traffic is being blocked, you can enable and inspect drop logs, especially the drop reason. For example, "reason":"stream midstream" in the drop logs indicates that Suricata has picked a midstream session and, due to midstream pick-ups not enabled, the default midstream exception policy is to drop such flows.
@franco
The "midstream-policy" should probably be added to default, as "midstream" is not enabled.
Wouldn't it be a great addition to have a textfield in IDS settings that adds to custom.yaml?
Thanks for this, this fixed my issue as well of blocking all traffic by adding stream.midstream-policy: ignore to the custom.yaml
Would like to see and not have to have that set in the custom.yaml
Midstream pick-up sessions ENABLED (stream.midstream=true)
@danderson
I ended up downgrading to Suricata 6.x.
I had problems with all applications doing authenticaton against Microsoft Services (Microsoft Store,Xbox, Outlook etc.) without any logs or alerts triggered.
Hi,
I had the same issue with the Suricata.
My config is very basic on my test system. So I guess this needs to be checked before releasing this version as I guess this will effect a lot of people.
Best regards
Christoph