Wrong packet is logged by Suricata for L7NP when enabling logging for rule #6636
Comments
|
@qiyueyao do you know how we could resolve this? |
This part of logging is done with tag keyword https://docs.suricata.io/en/latest/rules/tag.html. I just decoded the example there, it is a TCP packet. Perhaps it is due to specifying wrong value of scope, which is currently |
The problem is not that it is a TCP packet, the problem is that it is the "wrong" TCP packet. It should be the packet which is actually dropped by Suricata.
Do you mean that the packet is also logged to |
The example there shows
Oh yes they are logged there but without payload information. Also without final action if we need that information. |
Current logs by Suricata when enableLogging is set, logs the wrong packet of RST instead of the original TCP packet. This solution modifies the Suricata tagging configuration to track packets for host instead of for session, so that the original TCP packet is also logged. Fixes antrea-io#6636. Signed-off-by: Qiyue Yao <yaoq@vmware.com>
Current logs by Suricata when enableLogging is set, logs the wrong packet of RST instead of the original TCP packet. This solution modifies the Suricata tagging configuration to track packets for host instead of for session, so that the original TCP packet is also logged. Fixes antrea-io#6636. Signed-off-by: Qiyue Yao <yaoq@vmware.com>
Current logs by Suricata when enableLogging is set, logs the wrong packet of RST instead of the original TCP packet, and remains an existing bug in Suricata. This solution modifies the design to remove enableLogging in L7, keep it in L4, and instead configure Suricata to log Packet info for all alert events. Fixes antrea-io#6636. Signed-off-by: Qiyue Yao <yaoq@vmware.com>
Current logs by Suricata when enableLogging is set, logs the wrong packet of RST instead of the original TCP packet, and remains an existing bug in Suricata. This solution modifies the design to remove enableLogging in L7, keep it in L4, and instead configure Suricata to log Packet info for all alert events. Fixes antrea-io#6636. Signed-off-by: Qiyue Yao <yaoq@vmware.com>
Current logs by Suricata when enableLogging is set, logs the wrong packet of RST instead of the original TCP packet, and remains an existing bug in Suricata. This solution modifies the design to remove enableLogging in L7, keep it in L4, and instead configure Suricata to log Packet info for all alert events. Fixes antrea-io#6636. Signed-off-by: Qiyue Yao <yaoq@vmware.com>
Currently when enableLogging is enabled for an L7NP rule, we enable "tagged" packet logging in the appropriate Suricata reject rule. Unfortunately, this leads to the wrong packet being logged: the RST packet generated by Suricata instead of the original TCP packet containing the HTTP request from the client. This solution modifies the design to remove enableLogging in L7, keep it in L4, and instead configure Suricata to log packet info for all alert events. This is a global configuration, and no longer a per-rule configuration. Experiments revealed that enabling packet logging for all reject rules only had a minor impact (5%) in performance. Therefore, logging is always enabled, unconditionally. Fixes antrea-io#6636. Signed-off-by: Qiyue Yao <yaoq@vmware.com>
Describe the bug
According to https://github.com/antrea-io/antrea/blob/main/docs/antrea-l7-network-policy.md#logs,
enableLoggingcan be set to true for a L7 NP rule, in which case Antrea will request Suricata to log packets that need to be dropped.The expectation is that if an HTTP request is rejected by the default reject rule installed by Antrea, the offending packet / HTTP request will be logged for further troubleshooting.
However, the wrong packet is logged. Instead of logging the packet / request from the client, the TCP RST packet sent by Suricata is logged instead.
This can be reproduced easily by following instructions in https://github.com/antrea-io/antrea/blob/main/docs/antrea-l7-network-policy.md#logs, and enabling logging for the L7 NP rules.
The log shown in the documentation clearly illustrates the issue:
{ "timestamp": "2023-03-09T20:00:28.225016+0000", "flow_id": 627175734391745, "in_iface": "antrea-l7-tap0", "event_type": "packet", "vlan": [ 1 ], "src_ip": "10.10.1.4", "src_port": 80, "dest_ip": "10.10.1.5", "dest_port": 43352, "proto": "TCP", "packet": "/lhtPRglzmQvxnJoCABFAAAoUGYAAEAGFE4KCgEECgoBBQBQqVhIGzbi/odenlAUAfsR7QAA", "packet_info": { "linktype": 1 } }Decoding the packet from base64 to hex gives us
FE 58 6D 3D 18 25 CE 64 2F C6 72 68 08 00 45 00 00 28 50 66 00 00 40 06 14 4E 0A 0A 01 04 0A 0A 01 05 00 50 A9 58 48 1B 36 E2 FE 87 5E 9E 50 14 01 FB 11 ED 00 00. And using an hex packet decoder gives us10.10.1.4 → 10.10.1.5 TCP 80 → 43352 [RST, ACK]. This is clearly a TCP RST packet, and we can also easily see that thesrc_ipmatches the server IP, while thedest_ipmatches the client IP.Logging the TCP RST packet sent by Suricata is not very useful, and the HTTP GET request which triggered the RST should be logged instead.
Versions:
Antrea v2.1.0, ToT
Additional context
Just a quick note that the documentation is in the process of being updated as part of #6589, but while the example changes, the issue remains the same.
The text was updated successfully, but these errors were encountered: