Suricata 6.0.3_3 pass list missing all single IPs (alias, DNS)
-
@bmeeks If I change the alias to be type Network(s) and set OurIP/32, it immediately shows under View List. It was type Host(s).
Edit: pfSense lets me enter the ITS_Office alias there, but doesn't autocomplete it...it is autocompleting only the networks alias. Makes sense, just noting it. Have to enter IP/32 and have two places to change it.
Edit 2: Note the ITSMailGuard alias was type Network(s), which is consistent with that working.
-
I pulled up routers using 21.05 and 2.5.2 with Suricata 6.0.0_14 which has the Suricata_Trusted_Hosts alias set to Hosts(s) and working for IPs there.
-
I pulled up a 21.05 with Snort 4.1.4_3 and it is OK with IPs.
-
I suspect it is somehow related to the bugfix I linked, but I can't say with absolute certainty. I did not author that particular code fix. It was done by a Netgate staff developer. It's also possible, but not as likely, that something in pfSense 21.05.1 with respect to alias resolution changed.
-
@bmeeks said in Suricata pass list missing some IPs:
possible, but not as likely, that something in pfSense 21.05.1 with respect to alias resolution changed.
Using just one IP didnβt work so thatβs not related to an alias.
I can try upgrading other Suricata installs maybe tonight or tomorrow night but it should be easy to replicate if someone can:
- create alias, type Host
- add one ip to alias
- apply alias change
(- assign alias to pass list and restart Suricata) - click View List
-
@bmeeks I duplicated the behavior this morning on our internal 2.5.2 router simply by upgrading pfSense-pkg-suricata from 6.0.0_14 to 6.0.3_3. Notably it omits DNS, gateway, etc. ... anything that is configured or detected as an IP and not a /32. Changing aliases one at a time from Host(s) to Network(s) adds each to the pass list.
-
@steveits said in Suricata pass list missing some IPs:
@bmeeks I duplicated the behavior this morning on our internal 2.5.2 router simply by upgrading pfSense-pkg-suricata from 6.0.0_14 to 6.0.3_3. Notably it omits DNS, gateway, etc. ... anything that is configured or detected as an IP and not a /32. Changing aliases one at a time from Host(s) to Network(s) adds each to the pass list.
I will take a look at this. I'm still guessing it is an unintended consequence of fixing an earlier bug where some aliases resulted in an empty array() variable getting written to the HOME_NET variable.
-
The Netgate developer team beat me fixing this bug. A pull request to address this problem has been posted here: https://github.com/pfsense/FreeBSD-ports/pull/1117. Look for the fix to get merged into the production package in the near future.
In the meantime, if you can read and understand GitHub diff files, you can make the simple edit yourself on your firewalls.
-
Thank you both. Seems good to me, changed the aliases back and the list looks like my original.
-
Great! The change should make it into a formal package update soon.
Thanks to @viktor_g for the quick fix. He knew right where to look. It would have taken me a bit longer to dig around in the function code and find the issue.
