Suricata doesn't see the traffic

aSmirnov

Hi! I'm trying to configure suricata in pfsense as ids for traffic routed via rspan. I launched suricata, but in alert only the events "SURICATA STREAM SHUTDOWN RST invalid back" and nothing else, it feels like it doesn't see anything anymore. Through Packet Capture I see packets "20:10:28.337801 IP ________ > 10.7.28.190: G REv 0, length 377: gre-proto-0x88be" Please tell me if suricata pfsense supports Rspan? Maybe I configured it incorrectly, tell me how to configure suricata pfsense in IDS mode with Span traffic monitoring?!

aSmirnov

I made a mistake in the original post, ERSPAN is used. post https://redmine.pfsense.org/issues/7029 I read it, but it's been 4 years. Maybe an opportunity has appeared?

bmeeks

As best I can understand the current Suricata upstream docs, ERSPAN Type I and Type II are decoded by default in Suricata 6.x. The current pfSense version is 6.0.3, so it should be working. There is no longer a need to explicitly enable ERSPAN in the suricata.yaml configuration for the instance.

aSmirnov

I completely agree with you, I also found an indication in the suricata documents that they decode ERSPAN themselves, but it doesn't work :(?!
I just noticed that I left HOME_NET as standard! Tell me how you can add external networks to them that need to be protected?

bmeeks

To customize HOME_NET, you need to create a custom Pass List. While the naming is admittedly a bit confusing, a Pass List is simply a text file containing IP addresses and/or networks. Those addresses can then be used for any of the following things:

1. a Pass List;
2. the source for populating HOME_NET;
3. the source for populating EXTERNAL_NET;

So in your case, create a Pass List on the PASS LIST tab and name it something with maybe "Home_Net" somewhere in the title so it is obvious to you later what the list is really for. To add customized networks or addresses, you need to first create a firewall alias containing those IP addresses and networks. You don't have to use the alias in any firewall rules. It is simply a placeholder for Suricata to reference.

Next, at the bottom of the page when creating a Pass List is the Address field. Type the name of the alias you created in the step above. This will add those IP addresses and/or networks to the list. Save the new list.

Now go to the INTERFACE SETTINGS tab for the interface and scroll down to the HOME_NET drop-down selector. In the drop-down, choose the list you just created. Save the change and then restart Suricata on the interface.

aSmirnov

It seems to work, but for some reason it does not work according to the rule: warning ip any any -> any any (message: "Checking the GPL identifier ATTACK_RESPONSE, returned root"; content: "uid=0/28/root/29/"; class type: bad-unknown; sid:1000002; rev:7; metadata: created by_at 2010_09_23, updated by_at 2010_09_23|). The feeling that the packages are not checked

bmeeks

@asmirnov said in Suricata doesn't see the traffic:

It seems to work, but for some reason it does not work according to the rule: warning ip any any -> any any (message: "Checking the GPL identifier ATTACK_RESPONSE, returned root"; content: "uid=0/28/root/29/"; class type: bad-unknown; sid:1000002; rev:7; metadata: created by_at 2010_09_23, updated by_at 2010_09_23|). The feeling that the packages are not checked

I don't understand what you mean by "The feeling that the packages are not checked".

Did you mean to say "packets" instead of "packages". Those two words are not the same thing in my mind on pfSense. Packets are network data traversing the interfaces while Packages are third-party tools such as Suricata, pfBlockerNG, etc., installed on pfSense to perform additional tasks.

ERSPAN is not a common thing that most folks worry about detecting, so you may be somewhat on your own here with solving your issue. I certainly have never endeavored to capture and analyze that kind of traffic.

aSmirnov

Sorry, I meant packets. The goal is to understand whether suricata recognizes the contents of packets, maybe I configured something wrong and it does not check

bmeeks

@asmirnov said in Suricata doesn't see the traffic:

Sorry, I meant packets. The goal is to understand whether suricata recognizes the contents of packets, maybe I configured something wrong and it does not check

I found this link describing where ERSPAN stats are captured by Suricata: https://forum.suricata.io/t/erspan-type-ii-decpasulation-processing/242. You could try enabling the stats.log feature (on the INTERFACE SETTINGS tab) to see what Suricata is seeing and logging with respect to ERSPAN.