Suricata silent timeouts in inline mode to specific http requests
allu last edited by
Hi all! I'm having issues with Suricata 4.0.4_1 running in inline mode on pfSense 2.4.3-RELEASE-p1.
I'm running with a very large number of rules from Snort (paid) & the ET free. My issue is that some HTTP requests are randomly "blocked" without any warning/alert or other traceability... and by "blocked" I mean they are randomly timed out. If I stop the Suricata instance, the requests proceed normally without any issues.
However with Suricata enabled, with for example request to this HTTP URL:
Any ideas how to debug which rule or if it is Suricata somehow causing the issue? Turning one rule off at a time and retesting is nearly impossible. I'm assuming there must be a buggy rule or another issue somewhere in Suricata that causes this, because of no alert being generated and the fact that it goes into a timeout instead of a forcibly closed connection? Again, I obviously checked that there are no suppressed warnings and such.
teamits last edited by
I suspect there's something wrong with inline mode as we've had cases where traffic doesn't flow but no alert is logged. See