Suricata - Block on drop not being respected for certain rules



  • This post is deleted!


  • First thing to check for is a duplicate zombie Suricata process on the interface. Run this command from a shell prompt on the firewall:

    ps -ax | grep suricata
    

    You should see only a single Suricata process running for each configured interface. If you see more than one, then you need to kill the zombie process. Easiest way to do that is stop Suricata in the GUI and then issue this command to kill any remaining Suricata processes:

    kill -9 <pid>
    

    where <pid> should be the process ID shown for any Suricata processes still running (repeating the previous command to show running Suricata processes).

    My first suspicion is perhaps you have a duplicate process running and that one is doing the blocking. If that is not the case, then just disable those two rules if you do not want the blocks. I can't imagine any reason within the Suricata code that those two rules would be treated any differently than other rules. The same code is used to process all of them.



  • This post is deleted!


  • @karel said in Suricata - Block on drop not being respected for certain rules:

    I was able to reproduce this every time. I've just suppressed those alerts for now.

    Thanks for the feedback. I will see about reproducing this in my test virtual machines and look for a cause. Might be something within the binary itself. It will be a few days before I have time for the testing, though.


Log in to reply