Channels
extensions
rancher-extensions
supermicro-sixsq
ozt
os
one-point-x
rio
onlinemeetup
v16-v21-migration
events
onlinetraining
training-1220
training-0110
training-0124
k3s-contributor
submariner
storage
k3os
windows
ci-cd
theranchcast
rfed_ara
nederlands
ukranian
danish
training-0131
masterclass
training-0207
training-0214
terraform-controller
epinio
phillydotnet
swarm
rancher-wrangler
deutsch
russian
chinese
mesos
franรงais
japanese
arm
longhorn-dev
terraform-provider-rke
service-mesh
azure
gcp
academy
random
elemental
espanol
lima
harvester-dev
portugues
kubernetes
kim
hypper
kubewarden
opni
logging
neuvector-security
rancher-setup
developer
office-hours
mexico
cabpr
rke
vsphere
longhorn-storage
k3s
k3d
terraform-provider-rancher2
fleet
amazon
harvester
rke2
s3gw
hobbyfarm
rancher-desktop
general
Title
f
full-lawyer-94872
03/05/2023, 3:09 AMIt was first reported as a violation in security events while running in monitor mode and as it's a valid connections, I just added it as a rule.
However when checking the rest of the rules, you can also notice that there was already a rule for this connection by id: 2.
k
kind-church-47495
03/06/2023, 12:45 PMcan you share a screenshot of the violation
f
full-lawyer-94872
03/06/2023, 1:07 PMYes, @kind-church-47495 Pls consider the attached.
Screenshot 2023-03-06 at 18.33.37.png
k
kind-church-47495
03/06/2023, 2:20 PMis there another rule created before that violation that should've allowed it? I don't see any in the scenario 2 screenshot maybe it's filtered
also I don't work for rancher i'm just curious myself
๐ 1
f
full-lawyer-94872
03/06/2023, 2:59 PM@kind-church-47495 Pls check id: 2 in scenario 2 screenshot. It was the 1st rule created before the mentioned violation.
Ideally since the connection was already allowed, above mentioned violation should not have occured.
k
kind-church-47495
03/06/2023, 3:10 PMthat is strange, I wonder if you have a packet capture, I think it's supposed to provide a packet capture for a network violation if the traffic is actually SSL traffic or something else maybe
f
full-lawyer-94872
03/06/2023, 3:54 PMAs per my understanding, .pcaps are created only for network threat scenarios, not for network violations ๐
๐ 1
However, this is in fact strange.
k
kind-church-47495
03/06/2023, 4:31 PMyeah may have to wait for someone smarter than me:) ha
q
quaint-candle-18606
03/06/2023, 5:21 PMPCAPs can be created manually or even automagically as part of a Response Rule. ๐
k
kind-church-47495
03/06/2023, 5:50 PMthey can be created after the fact or has to be done prior?
q
quaint-candle-18606
03/06/2023, 5:51 PMOne can only capture traffic that is currently in transit.
(just like any network packet capture ๐ )
k
kind-church-47495
03/06/2023, 6:47 PMlol, that's what I figured, i read your first comment and thought maybe it was caching pcaps for a certain amount of time where you could manually get it
q
quaint-candle-18606
03/06/2023, 8:10 PMTo the original issue here: Iโm baffled. Sorry.
f
full-lawyer-94872
03/06/2023, 11:37 PM@kind-church-47495 hehe, it's all about learning the product. Sharing is caring ๐
๐ค 1
๐ค 1
BTW, @quaint-candle-18606 Can we actually get a .pcap as a response rule? In UI, it only allows a webhook log, log suppression and quarantining as actions.
q
quaint-candle-18606
03/07/2023, 3:21 PMSorry, I said that in a flurry of multitasking yesterday. I am ashamed. ๐
f
full-lawyer-94872
03/07/2023, 4:55 PMAh, never mind ๐