Suricata is blocking LAN and WAN IPs
-
@zachtywebb said in Suricata is blocking LAN and WAN IPs:
@bmeeks Alright, well I guess at least it's for sure not an issue with the update. I am out of ideas at the moment, but will keep poking at it. Thanks for all your help.
Those extra lines in your
suricata.logfile about adding the firewall interface IPs to the automatic internal pass list are strange. Normally those lines should appear just once in the log unless an interface IP changes sometime later after startup has completed. Usually that only happens due to a DHCP release/renew cycle or a PPPoE connection dropping and then being re-established.When Suricata starts, the custom blocking plugin on pfSense grabs all the existing firewall interface IP addresses and puts them in the internal automatic pass list. It also subscribes to kernel routing messages so that it can see any future interface IP changes. So that first set of log messages about adding IP addresses to the automatic internal pass list are expected and normal.
In your log, however, there is another cycle interface IPs being removed and then added back just a second or two after the initial startup scan was completed. That is unusual. I would focus my investigations there to determine why that is happening. What is making your interfaces essentially come up and then go down and then come up again with a few seconds?
-
@bmeeks So, I did find this line in my pfBlockerNG IP block log and I do have kill states enabled on there. Not sure if this is related but the timestamp on this is directly between the initial start of Suricata in the previous log and the interface reset. This is on the WAN so it would be weird for it to be the cause of the LAN (em0) to bounce.
Feb 7 13:52:17,1770007928,igb0,WAN,block,4,6,TCP-S,194.26.69.105,xxx.xxx.243.208,58964,2431,in,RU,pfB_Top_v4,194.26.69.0/24,pfB_Top_v4,Unknown,wan,null,+
-
@bmeeks I may have figured this one out. Not sure how this issue just popped up but I saw another of your posts where something similar was happening to someone else and I checked some settings that you had suggested and I had not disabled hardware checksum offloading. After doing this and rebooting I am not seeing home net or pass list IPs being blocked. I will keep an eye on it but so far this seems to have done the trick.
-
@zachtywebb said in Suricata is blocking LAN and WAN IPs:
@bmeeks I may have figured this one out. Not sure how this issue just popped up but I saw another of your posts where something similar was happening to someone else and I checked some settings that you had suggested and I had not disabled hardware checksum offloading. After doing this and rebooting I am not seeing home net or pass list IPs being blocked. I will keep an eye on it but so far this seems to have done the trick.
That's strange. Glad it's working for you now, but I would not have expected that to make a difference in blocking HOME_NET or not blocking it.
-
@bmeeks Yeah, I was thinking the same thing and was expecting it to not work, but at that point I was grasping at straws. I am still not convinced that was the root cause, but I am no longer showing the duplicate weirdness in the Suricata logs and none of the pass list IPs are being blocked. What I am thinking actually happened is whatever was making Suricata upset finally cleared on this most recent reboot.
-
I have the exact same problem. Suricata blocks my LAN IPs.
With SNORT i don't have this strange problem and i don't know why.
Already tried to reboot, to stop suricata on each interface and check for zombies processes but nothing.
I have a setup with legacy blocking and Block on Drop only (even without block on drop only i have this problem) and i have VLAN on ix0 interface (but i only have the lan in suricata) . I really don't know what to do .Here my default passlist and the suricata.log and block.log
10.10.10.1/32 10.10.20.0/24 10.10.20.254/32 10.39.156.0/25 WANIP/32 127.0.0.1/32 172.168.69.0/24 192.168.1.0/24 192.168.57.0/24 192.168.70.0/24 192.168.100.0/24 195.43.166.12/32 ::1/128 fe80::92e2:baff:fe4c:c1b4/128 fe80::e9d:92ff:fe5b:cab5/128 fe80::e9d:92ff:fe5b:cab6/128suricata.log alerts.log blocks.log
P.s. i don't find any similar type of logs in snort, maybe it could
-
That's a newer suricata.log.lan made after a fresh install of suricata.
Update: just set up the wan on suricata with legacy block-block on drop only-block both SRC&DST and with this interface i don't have problems with passlist! It blocks only the external IPs!
suricata.log.wan -
@xm4rcell0x said in Suricata is blocking LAN and WAN IPs:
I have the exact same problem. Suricata blocks my LAN IPs.
With SNORT i don't have this strange problem and i don't know why.
Already tried to reboot, to stop suricata on each interface and check for zombies processes but nothing.
I have a setup with legacy blocking and Block on Drop only (even without block on drop only i have this problem) and i have VLAN on ix0 interface (but i only have the lan in suricata) . I really don't know what to do .Here my default passlist and the suricata.log and block.log
10.10.10.1/32 10.10.20.0/24 10.10.20.254/32 10.39.156.0/25 WANIP/32 127.0.0.1/32 172.168.69.0/24 192.168.1.0/24 192.168.57.0/24 192.168.70.0/24 192.168.100.0/24 195.43.166.12/32 ::1/128 fe80::92e2:baff:fe4c:c1b4/128 fe80::e9d:92ff:fe5b:cab5/128 fe80::e9d:92ff:fe5b:cab6/128suricata.log alerts.log blocks.log
P.s. i don't find any similar type of logs in snort, maybe it could
From the
suricata.logfile accompanying your post --30/9/2021 -- 10:36:16 - <Info> -- alert-pf -> Pass List /usr/local/etc/suricata/suricata_13894_ix0/passlist parsed: 0 IP addresses loaded.So Suricata did not load any local IP addresses into the passlist. Notice the "0 IP addresses loaded" part. The other entries in the log where it mentions "automatic IP interface Pass List" are not the same thing. Those are actual firewall interface IPs. The regular Pass List is where LAN hosts would reside.
So in this instance, blocking of local LAN hosts would certainly occur.
-
@xm4rcell0x said in Suricata is blocking LAN and WAN IPs:
That's a newer suricata.log.lan made after a fresh install of suricata.
Update: just set up the wan on suricata with legacy block-block on drop only-block both SRC&DST and with this interface i don't have problems with passlist! It blocks only the external IPs!
suricata.log.wanNow look at the
suricata.logfile where it tells you how many IP addresses it loaded from the passed Pass List file:30/9/2021 -- 14:45:47 - <Info> -- alert-pf -> Pass List /usr/local/etc/suricata/suricata_57062_ix0/passlist parsed: 16 IP addresses loaded.There it found and loaded 16 IP addresses and/or subnets.
-
@bmeeks yes :)
But Suricata still blocks internal IPs on this interface and i really don't know why
On WAN no problems. -
@xm4rcell0x said in Suricata is blocking LAN and WAN IPs:
@bmeeks yes :)
But Suricata still blocks internal IPs on this interface and i really don't know why
On WAN no problems.Are you running VLANs on that interface? If so, what are all of the VLAN subnets defined on that interface?
Also post the content of this file:
/usr/local/etc/suricata/suricata_57062_ix0/passlistback here. -
-
@xm4rcell0x said in Suricata is blocking LAN and WAN IPs:
@bmeeks passlist
Yes i have VLANs on this interface:
192.168.100.0/24 = ix0.100
172.168.69.0/24 = ix0.69
192.168.57.0/24 = ix0.57
LAN = 10.10.20.0/24One other request I should have included previously, but forgot --
Go to the BLOCKS tab and clear all blocks. Remove them all. Then when you experience a new LAN host getting blocked, do this:
Go to DIAGNOSTICS > TABLES and choose the snort2c table from the drop-down list. Screen capture the content of that display of IP addresses in that table and post back here.
Because you have posted just the logs, and the logs don't appear to be time correlated, it's difficult to make heads or tails of what's happening. The content of the snort2c table will always be the current list of what Suricata is blocking. The blocks log will have historical data, and because of the timestamp issues I don't know which blocks were from the run where Suricata loaded zero IP addresses from the Pass List, and which blocks are from the run where it loaded 16 IP addresses from the list.
I would dearly love to find out what is going on as I've had a few users report this behavior over the years. Not a lot, but certainly some. However, I have never in all my testing since I created the Suricata package, been able to duplicate this problem in my test systems. Not once. So if I can't duplicate it, that makes it very hard to troubleshoot, and even harder to actually fix.
-
@bmeeks
i will do all you want! i really want to help you to fix this :) so no problem at all!
suricata alerts
snort2cp.s. i have all the networking offloads disabled but checksum and hardware vlan tagging on this ix0 interface.
-
@xm4rcell0x said in Suricata is blocking LAN and WAN IPs:
@bmeeks
i will do all you want! i really want to help you to fix this :) so no problem at all!
suricata alerts
snort2cAnd just to be clear, is this the same running instance where the
suricata.logsaid it had loaded 16 IP addresses from the passlist file?It's important that Suricata logs that it actually read IP addresses from the passlist file when starting up. You had two posted
suricata.logfiles where one showed zero IP addresses loaded, and the other showed 16 IP addresses loaded. Does thesuricata.logfile for this interface currently contain a line saying IP addresses were loaded from the file/usr/local/etc/suricata/suricata_57062_ix0/passlist? -
@bmeeks
yes i can confirm! the old istance is gone
suricata.log -
@xm4rcell0x said in Suricata is blocking LAN and WAN IPs:
@bmeeks
yes i can confirm! the old istance is gone
suricata.logThanks for the confirmation. I've got an idea, but it will take me a day or so to test it. Still not sure I can reliably reproduce the problem, but I think I see a place in the custom blocking plugin binary code where a section of structure union data could get misinterpreted. I need to figure out a sequence of events and data that reliably trigger the problem to be sure that's really the problem.
-
@bmeeks i'll try to reproduce also on my friend's network in 1 or 2 hours .
I'll put here the results.
Thank you so much :) -
done! also on my friend's network suricata blocks the internal IPs on the LAN interface!
His network topology
LAN = 10.10.30.0/24 = em0 interface (WAN on igb0)
VLANs are:
192.168.69.0/24 = em0.69
10.10.100.0/24 = em0.100[In reply to Sam Sepiol]
/usr/local/etc/suricata/suricata_37556_em0/passlist10.10.10.1/32
10.10.30.0/24
10.10.30.254/32
10.10.100.0/24
WANIP
127.0.0.1/32
192.168.1.0/24
192.168.69.0/24
195.43.166.12/32
::1/128
fe80::b62e:99ff:fe62:28ea/128
fe80::b62e:99ff:fe62:28eb/128
suricata.log.lan
suricata.log.wanTomorrow i'll also share the snort2c log when suricata will be triggered and i'll also post a screenshot from the Alerts page with the exact time.
-
@xm4rcell0x said in Suricata is blocking LAN and WAN IPs:
done! also on my friend's network suricata blocks the internal IPs on the LAN interface!
His network topology
LAN = 10.10.30.0/24 = em0 interface (WAN on igb0)
VLANs are:
192.168.69.0/24 = em0.69
10.10.100.0/24 = em0.100[In reply to Sam Sepiol]
/usr/local/etc/suricata/suricata_37556_em0/passlist10.10.10.1/32
10.10.30.0/24
10.10.30.254/32
10.10.100.0/24
WANIP
127.0.0.1/32
192.168.1.0/24
192.168.69.0/24
195.43.166.12/32
::1/128
fe80::b62e:99ff:fe62:28ea/128
fe80::b62e:99ff:fe62:28eb/128
suricata.log.lan
suricata.log.wanTomorrow i'll also share the snort2c log when suricata will be triggered and i'll also post a screenshot from the Alerts page with the exact time.
Thank you for the additional info. I will duplicate this IP setup in my VMware virtual machine and see if I can replicate the problem. I've made a change in my test system that "might" have an impact, but it would be much more reassuring to have a test case that reliably fails, and then works after my patch is applied.
There was a new Suricata package update posted this afternoon. It addresses another issue with VLANs and I don't expect it to fix your problem, but it would not hurt to test it out just to verify.
