From 92fc79c63e6491242529ba86fc5468c01d1bd242 Mon Sep 17 00:00:00 2001 From: Qiyue Yao Date: Wed, 4 Sep 2024 14:19:02 -0700 Subject: [PATCH] Fix L7NP enable logging wrong packet Current logs by Suricata when enableLogging is set, logs the wrong packet of RST instead of the original TCP packet. This solution modifies the Suricata tagging configuration to track packets for host instead of for session, so that the original TCP packet is also logged. Fixes #6636. Signed-off-by: Qiyue Yao --- docs/antrea-l7-network-policy.md | 55 ++++++++++--------- .../networkpolicy/l7engine/reconciler.go | 2 +- 2 files changed, 29 insertions(+), 28 deletions(-) diff --git a/docs/antrea-l7-network-policy.md b/docs/antrea-l7-network-policy.md index 1f917de0152..c9a7d7ea3dd 100644 --- a/docs/antrea-l7-network-policy.md +++ b/docs/antrea-l7-network-policy.md @@ -329,24 +329,24 @@ Allow ingress from client (10.10.1.9) to web (10.10.1.10/public/*). } ``` -Deny ingress from client (10.10.1.9) to web (10.10.1.10/admin/*) +Deny ingress from client (10.10.1.4) to web (10.10.1.3/admin/*). ```json { - "timestamp": "2024-08-26T22:38:26.019956+0000", - "flow_id": 642636870504569, + "timestamp": "2024-09-04T21:00:09.613227+0000", + "flow_id": 1179717331488573, "in_iface": "antrea-l7-tap0", "event_type": "alert", "vlan": [ - 2 + 1 ], - "src_ip": "10.10.1.9", - "src_port": 37892, - "dest_ip": "10.10.1.10", + "src_ip": "10.10.1.4", + "src_port": 35396, + "dest_ip": "10.10.1.3", "dest_port": 80, "proto": "TCP", - "pkt_src": "wire/pcap", - "tenant_id": 2, + "pkt_src": "stream (flow timeout)", + "tenant_id": 1, "alert": { "action": "blocked", "gid": 1, @@ -355,43 +355,44 @@ Deny ingress from client (10.10.1.9) to web (10.10.1.10/admin/*) "signature": "Reject by AntreaNetworkPolicy:default/allow-privileged-url-to-admin-role", "category": "", "severity": 3, - "tenant_id": 2 + "tenant_id": 1 }, "app_proto": "http", "direction": "to_server", "flow": { "pkts_toserver": 3, - "pkts_toclient": 1, - "bytes_toserver": 308, - "bytes_toclient": 78, - "start": "2024-08-26T22:38:26.018553+0000", - "src_ip": "10.10.1.9", - "dest_ip": "10.10.1.10", - "src_port": 37892, + "pkts_toclient": 2, + "bytes_toserver": 307, + "bytes_toclient": 136, + "start": "2024-09-04T20:59:08.864498+0000", + "src_ip": "10.10.1.4", + "dest_ip": "10.10.1.3", + "src_port": 35396, "dest_port": 80 } } ``` -Additional packet log when `enableLogging` is set +Additional packet logs are available when `enableLogging` is set, including the +original packet that triggered the alert. ```json { - "timestamp": "2024-08-26T22:38:26.025742+0000", - "flow_id": 642636870504569, + "timestamp": "2024-09-04T20:59:32.353696+0000", + "flow_id": 1232822280696552, "in_iface": "antrea-l7-tap0", "event_type": "packet", "vlan": [ - 2 + 1 ], - "src_ip": "10.10.1.10", - "src_port": 80, - "dest_ip": "10.10.1.9", - "dest_port": 37892, + "src_ip": "10.10.1.4", + "src_port": 35154, + "dest_ip": "10.10.1.3", + "dest_port": 80, "proto": "TCP", "pkt_src": "wire/pcap", - "tenant_id": 2, - "packet": "/hYGSsKknh8fnhcggQAAAggARQAAKN7MAABABoXdCgoBCgoKAQkAUJQE0EfjHLfFVXZQFAH7QroAAA==", + "tenant_id": 1, + "packet": "dtwWezuaHlOhfWpNgQAAAQgARQAAjbT0QABABm9cCgoBBAoKAQOJUgBQa2w1WZlax6yAGAH7nAIAAAEBCAorcsv8RSTwQkdFVCAvYWRtaW4vaW5kZXguaHRtbCBIVFRQLzEuMQ0KSG9zdDogMTAuMTAuMS4zDQpVc2VyLUFnZW50OiBjdXJsLzcuNzQuMA0KQWNjZXB0OiAqLyoNCg0K", "packet_info": { "linktype": 1 } diff --git a/pkg/agent/controller/networkpolicy/l7engine/reconciler.go b/pkg/agent/controller/networkpolicy/l7engine/reconciler.go index 56523773662..748715a8800 100644 --- a/pkg/agent/controller/networkpolicy/l7engine/reconciler.go +++ b/pkg/agent/controller/networkpolicy/l7engine/reconciler.go @@ -178,7 +178,7 @@ func generateTenantRulesData(policyName string, protoKeywords map[string]sets.Se // Refer to Suricata detect engine in codebase for detailed tag keyword configuration. var tagKeyword string if enableLogging { - tagKeyword = " tag: session, 30, seconds;" + tagKeyword = " tag:host;" } // Generate default reject rule.