Suricata silent timeouts in inline mode to specific http requests
-
Hi all! I'm having issues with Suricata 4.0.4_1 running in inline mode on pfSense 2.4.3-RELEASE-p1.
I'm running with a very large number of rules from Snort (paid) & the ET free. My issue is that some HTTP requests are randomly "blocked" without any warning/alert or other traceability... and by "blocked" I mean they are randomly timed out. If I stop the Suricata instance, the requests proceed normally without any issues.
However with Suricata enabled, with for example request to this HTTP URL:
http://korkeinoikeus.fi/js/public.js?timestamp=1530597609664
...I get first few KBs worth of the Javascript and then nothing until the request times out.Any ideas how to debug which rule or if it is Suricata somehow causing the issue? Turning one rule off at a time and retesting is nearly impossible. I'm assuming there must be a buggy rule or another issue somewhere in Suricata that causes this, because of no alert being generated and the fact that it goes into a timeout instead of a forcibly closed connection? Again, I obviously checked that there are no suppressed warnings and such.
-
I suspect there's something wrong with inline mode as we've had cases where traffic doesn't flow but no alert is logged. See
https://forum.netgate.com/topic/131572/moved-suricata-from-wan-to-lan-can-t-remote-desktop-in/10
https://forum.netgate.com/topic/109581/suricata-inline-whitelisting/8