https://rancher.com/ logo
Title
f

full-lawyer-94872

03/05/2023, 3:09 AM
It was first reported as a violation in security events while running in monitor mode and as it's a valid connections, I just added it as a rule. However when checking the rest of the rules, you can also notice that there was already a rule for this connection by id: 2.
k

kind-church-47495

03/06/2023, 12:45 PM
can you share a screenshot of the violation
f

full-lawyer-94872

03/06/2023, 1:07 PM
Yes, @kind-church-47495 Pls consider the attached.
Screenshot 2023-03-06 at 18.33.37.png
k

kind-church-47495

03/06/2023, 2:20 PM
is there another rule created before that violation that should've allowed it? I don't see any in the scenario 2 screenshot maybe it's filtered
also I don't work for rancher i'm just curious myself
๐Ÿ‘ 1
f

full-lawyer-94872

03/06/2023, 2:59 PM
@kind-church-47495 Pls check id: 2 in scenario 2 screenshot. It was the 1st rule created before the mentioned violation.
Ideally since the connection was already allowed, above mentioned violation should not have occured.
k

kind-church-47495

03/06/2023, 3:10 PM
that is strange, I wonder if you have a packet capture, I think it's supposed to provide a packet capture for a network violation if the traffic is actually SSL traffic or something else maybe
f

full-lawyer-94872

03/06/2023, 3:54 PM
As per my understanding, .pcaps are created only for network threat scenarios, not for network violations ๐Ÿ™‚
๐Ÿ‘ 1
However, this is in fact strange.
k

kind-church-47495

03/06/2023, 4:31 PM
yeah may have to wait for someone smarter than me:) ha
q

quaint-candle-18606

03/06/2023, 5:21 PM
PCAPs can be created manually or even automagically as part of a Response Rule. ๐Ÿ™‚
k

kind-church-47495

03/06/2023, 5:50 PM
they can be created after the fact or has to be done prior?
q

quaint-candle-18606

03/06/2023, 5:51 PM
One can only capture traffic that is currently in transit.
(just like any network packet capture ๐Ÿ™‚ )
k

kind-church-47495

03/06/2023, 6:47 PM
lol, that's what I figured, i read your first comment and thought maybe it was caching pcaps for a certain amount of time where you could manually get it
q

quaint-candle-18606

03/06/2023, 8:10 PM
To the original issue here: Iโ€™m baffled. Sorry.
f

full-lawyer-94872

03/06/2023, 11:37 PM
@kind-church-47495 hehe, it's all about learning the product. Sharing is caring ๐Ÿ™‚
๐Ÿค› 1
๐Ÿคœ 1
BTW, @quaint-candle-18606 Can we actually get a .pcap as a response rule? In UI, it only allows a webhook log, log suppression and quarantining as actions.
q

quaint-candle-18606

03/07/2023, 3:21 PM
Sorry, I said that in a flurry of multitasking yesterday. I am ashamed. ๐Ÿ˜ž
f

full-lawyer-94872

03/07/2023, 4:55 PM
Ah, never mind ๐Ÿ™‚