aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '535938d7f6'
${ noResults }
suricata/doc/userguide/configuration/exception-policies.rst

234 lines
8.9 KiB
ReStructuredText
Raw Blame History

.. _exception policies:
Exception Policies
==================
Suricata has a set of configuration variables to indicate what should the engine
do when certain exception conditions, such as hitting a memcap, are reached.
They are called Exception Policies and are configurable via suricata.yaml. If
enabled, the engine will call them when it reaches exception states.
For developers or for researching purposes, there are also simulation options
exposed in debug mode and passed via command-line. These exist to force or
simulate failures or errors and understand Suricata behavior under such conditions.
Exception Policies
------------------
.. _master-switch:
Master Switch
~~~~~~~~~~~~~
It is possible to set all configuration policies via what we call "master
switch". This offers a quick way to define what the engine should do in case of
traffic exceptions, while still allowing for the flexibility of indicating a
different behavior for specific exception policies your setup/environment may
have the need to.
::
# Define a common behavior for all exception policies.
# In IPS mode, the default is drop-flow. For cases when that's not possible, the
# engine will fall to drop-packet. To fallback to old behavior (setting each of
# them individually, or ignoring all), set this to ignore.
# All values available for exception policies can be used, and there is one
# extra option: auto - which means drop-flow or drop-packet (as explained above)
# in IPS mode, and ignore in IDS mode. Exception policy values are: drop-packet,
# drop-flow, reject, bypass, pass-packet, pass-flow, ignore (disable).
exception-policy: auto
This value will be overwritten by specific exception policies whose settings are
also defined in the yaml file.
Auto
''''
**In IPS mode**, the default behavior for most of the exception policies is to
fail close. This means droping the flow, or the packet, when the flow action is
not supported. The default policy for the midstream exception will be ignore if
midstream flows are accepted.
It is possible to disable this default, by setting the exception policies'
"master switch" yaml config option to ``ignore``.
**In IDS mode**, setting ``auto`` mode actually means disabling the
``master-switch``, or ignoring the exception policies.
Specific settings
~~~~~~~~~~~~~~~~~
Exception policies are implemented for:
.. list-table:: Exception Policy configuration variables
:widths: 20, 18, 62
:header-rows: 1
* - Config setting
- Policy variable
- Expected behavior
* - stream.memcap
- memcap-policy
- If a stream memcap limit is reached, apply the memcap policy to the packet and/or
flow.
* - stream.midstream
- midstream-policy
- If a session is picked up midstream, apply the midstream policy to the flow.
* - stream.reassembly.memcap
- memcap-policy
- If stream reassembly reaches memcap limit, apply memcap policy to the
packet and/or flow.
* - flow.memcap
- memcap-policy
- Apply policy when the memcap limit for flows is reached and no flow could
be freed up. **Policy can only be applied to the packet.**
* - defrag.memcap
- memcap-policy
- Apply policy when the memcap limit for defrag is reached and no tracker
could be picked up. **Policy can only be applied to the packet.**
* - app-layer
- error-policy
- Apply policy if a parser reaches an error state. Policy can be applied to packet and/or flow.
To change any of these, go to the specific section in the suricata.yaml file
(for more configuration details, check the :doc:`suricata.yaml's<suricata-yaml>`
documentation).
The possible values for the exception policies, and the resulting behaviors,
are:
- ``drop-flow``: disable inspection for the whole flow (packets, payload,
application layer protocol), drop the packet and all future packets in the
flow.
- ``drop-packet``: drop the packet.
- ``reject``: same as ``drop-flow``, but reject the current packet as well (see
``reject`` action in Rule's :ref:`actions`).
- ``bypass``: bypass the flow. No further inspection is done. :ref:`Bypass
<bypass>` may be offloaded.
- ``pass-flow``: disable payload and packet detection; stream reassembly,
app-layer parsing and logging still happen.
- ``pass-packet``: disable detection, still does stream updates and app-layer
parsing (depending on which policy triggered it).
- ``ignore``: do not apply exception policies (default behavior).
The *drop*, *pass* and *reject* are similar to the rule actions described in :ref:`rule
actions<suricata-yaml-action-order>`.
Exception Policies and Midstream Pick-up Sessions
-------------------------------------------------
Suricata behavior can be difficult to track in case of midstream session
pick-ups. Consider this matrix illustrating the different interactions for
midstream pick-ups enabled or not and the various exception policy values:
.. list-table:: **Exception Policy Behaviors - IDS Mode**
:widths: auto
:header-rows: 1
:stub-columns: 1
* - Exception Policy
- Midstream pick-up sessions ENABLED (stream.midstream=true)
- Midstream pick-up sessions DISABLED (stream.midstream=false)
* - Ignore
- Session tracket and parsed.
- Session not tracked. No app-layer inspection or logging. No detection. No stream reassembly.
* - Drop-flow
- Not valid.*
- Not valid.*
* - Drop-packet
- Not valid.*
- Not valid.*
* - Reject
- Not valid.*
- Session not tracked, flow REJECTED.
* - Pass-flow
- Track session, inspect and log app-layer traffic, no detection.
- Session not tracked. No app-layer inspection or logging. No detection. No stream reassembly.
* - Pass-packet
- Not valid.*
- Not valid.*
* - Bypass
- Not valid.*
- Session not tracked. No app-layer inspection or logging. No detection. No stream reassembly.
* - Auto
- Midstream policy applied: "ignore". Same behavior.
- Midstream policy applied: "ignore". Same behavior.
The main difference between IDS and IPS scenarios is that in IPS mode flows can
be allowed or blocked (as in with the PASS and DROP rule actions). Packet
actions are not valid, as midstream pick-up is a configuration that affects the
whole flow.
.. list-table:: **Exception Policy Behaviors - IPS Mode**
:widths: 15 42 43
:header-rows: 1
:stub-columns: 1
* - Exception Policy
- Midstream pick-up sessions ENABLED (stream.midstream=true)
- Midstream pick-up sessions DISABLED (stream.midstream=false)
* - Ignore
- Session tracket and parsed.
- Session not tracked. No app-layer inspection or logging. No detection. No stream reassembly.
* - Drop-flow
- Not valid.*
- Session not tracked. No app-layer inspection or logging. No detection. No stream reassembly.
Flow DROPPED.
* - Drop-packet
- Not valid.*
- Not valid.*
* - Reject
- Not valid.*
- Session not tracked, flow DROPPED and REJECTED.
* - Pass-flow
- Track session, inspect and log app-layer traffic, no detection.
- Session not tracked. No app-layer inspection or logging. No detection. No stream reassembly.
* - Pass-packet
- Not valid.*
- Not valid.*
* - Bypass
- Not valid.*
- Session not tracked. No app-layer inspection or logging. No detection. No stream reassembly.
Packets ALLOWED.
* - Auto
- Midstream policy applied: "ignore". Same behavior.
- Midstream policy applied: "drop-flow". Same behavior.
Notes:
* Not valid means that Suricata will error out and won't start.
* ``REJECT`` will make Suricata send a Reset-packet unreach error to the sender of the matching packet.
Command-line Options for Simulating Exceptions
----------------------------------------------
It is also possible to force specific exception scenarios, to check engine
behavior under failure or error conditions.
The available command-line options are:
- ``simulate-applayer-error-at-offset-ts``: force an applayer error in the to
server direction at the given offset.
- ``simulate-applayer-error-at-offset-tc``: force an applayer error in the to
client direction at the given offset.
- ``simulate-packet-loss``: simulate that the packet with the given number
(``pcap_cnt``) from the session was lost.
- ``simulate-packet-tcp-reassembly-memcap``: simulate that the TCP stream
reassembly reached memcap for the specified packet.
- ``simulate-packet-tcp-ssn-memcap``: simulate that the TCP session hit the
memcap for the specified packet.
- ``simulate-packet-flow-memcap``: force the engine to assume that flow memcap is
hit at the given packet.
- ``simulate-packet-defrag-memcap``: force Suricata to assume memcap is hit when
defragmenting specified packet.
- ``simulate-alert-queue-realloc-failure``: prevent the engine from dynamically
growing the temporary alert queue, during alerts processing.
Common abbreviations
--------------------
- applayer: application layer protocol
- memcap: (maximum) memory capacity available
- defrag: defragmentation
Reference in New Issue View Git Blame Copy Permalink