I had some trouble with Suricata as an IPS with wordpress and dokuwiki. My wordpress was unable to reach wordpress.org and my dokuwiki was unable to reach the plugin/extension store of dokuwiki. While I’m (still) not sure what exactly is causing this, I found a work-around for it.
Everything I checked like wget, curl, DNS… worked fine. Manually retrieving and accessing wordpress.org also worked fine. The IPs (of wordpress.org) are not dropped. In fact they are not even listed in fast.log. In eve.json I can see the DNS requests to resolve the domain and I can see that an answer is coming by wordpress.org but somehow then nothing happens anymore.
However, in the stats.log I found this:
ips.drop_reason.flow_drop | Total | 837
ips.drop_reason.rules | Total | 3398
ips.drop_reason.stream_error | Total | 19347
I think that the amount of stream_error packets seems quiet high. When I checked the suricata boards for this I found: Suricata in IPS mode dropping tcp traffic. So I tried the same value of:
drop-invalid: no
If you search for it, it is in the stream-section:
stream:
memcap: 64mb
memcap-policy: ignore
drop-invalid: yes
checksum-validation: yes # reject incorrect csums
#midstream: false
midstream-policy: ignore
inline: auto # auto will use inline mode in IPS mode, yes or no set it statically
reassembly:
As soon as I set it to no this traffic works. But currently I am unable to find why this traffic is detected as invalid by suricata. So it has to do with the high amount of stream_errors. What annoys me a bit is that there is nothing in the logs which would give me a clue on what to search for.
In suricata.yaml in stats: I switched #stream-events: false to true and uncommented. I was hoping to get more ideas about what’s going on. Stats.log now shows:
ips.accepted | Total | 180267
ips.blocked | Total | 19401
ips.drop_reason.flow_drop | Total | 1795
ips.drop_reason.rules | Total | 1718
ips.drop_reason.stream_error | Total | 15888
[..]
capture.afpacket.poll_timeout | Total | 103893
[..]
stream.fin_but_no_session | Total | 12508
stream.rst_but_no_session | Total | 2577
stream.pkt_invalid_ack | Total | 47
stream.pkt_broken_ack | Total | 21
stream.rst_invalid_ack | Total | 47
stream.pkt_spurious_retransmission | Total | 14735
Once I find a reason for this I’ll write another post. For now “drop-invalid: no” seems to fix this.
/me shrugs