Losing IPCamLive Stream
-
Hi All,
Forgive me if this is not in the correct location. I didn't know where to put it. First off, I know just enough to make myself dangerous. With Google, I can get through a lot of stuff, but for the last two weeks, I have had a problem and don't know where to look. I think it is the service sending me the stream, but I don't know how to confirm, and frankly, it could be some other service I run.
For the last year and some, I have streamed a camera to a service called IPCamLive. It has worked flawlessly.
In the last two weeks, the camera stream has started to go down and not connect. I haven't changed anything on my side, though I regularly update the Linux webserver. At first, I assumed their service was trying to communicate from another server that wasn't on my firewall. So I opened a ticket with them, and they said it only comes from that service. So I checked my logs (Suricata, piehole, and PFSense logs), and I am not seeing the IP they stream being blocked in any records. Internally, I can see the camera; it shows my video on my BlueIris server, and everything looks good. All the other portions of the webpage come through; it still reports the correct weather, changes made to the HTML get updated, and everything looks fine.
My one concern is that when I reboot my Pfsense firewall, the camera starts working again.
Where can I look to see if I can pin down where it is failing? I even asked them to send me the IPs of all their servers, and I created an alias and put all their IPs in it and set it for the rule instead of the one IP we had it locked down too, but the problem continues. I am beginning to do this. It is something on my network, but I don't know how to pin it down; I was hoping I could get some pointers on troubleshooting this issue.
Thanks
-
-
@overcon Check the Firewall logs to see if it is being blocked, if it is not, then run a packet capture and see if it is even getting to you... if you aren't seeing any traffic from their IP range or on the local port you expect it to come in on then verify your information on their end is right .
It's possible, if you are using a common port on a residential ISP you might be getting blocked bby the ISP and should change ports for the inbound side.
-
@rcoleman-netgate When it initially started, I checked the logs to see if it was blocking the IP their feed was coming from, but I didn't see the IP listed in the logs.
I just checked the log and found this:
Jul 20 05:02:54 WAN Block snort2c hosts (1000000109) 74.63.x.x:55684 172.16.1.33:554 TCP:SEC
Jul 20 05:02:56 WAN Block snort2c hosts (1000000109) 74.63.x.x:55689 172.16.1.33:554 TCP:SECThese look like blocks (I removed a few octets from the source IP), but I don't run snort. I do run Suricata, but I do not see blocks in Suricata, and I whitelisted the source IP just to be extra sure it was allowed. At least I think I whitelisted it correctly.
In the Suricata logs, under block I do see this:
74.63.x.x
SURICATA HTTP Unexpected Request body - 07/19/2022-21:47:58
SURICATA HTTP unable to match response to request - 07/13/2022-19:41:02It looks like Suricata isn't honoring the IP PASS list that I put the IP in, or something else is happening.
-
Is there a way to turn off the rule or exclude this address from Suricata?
-
@overcon said in Losing IPCamLive Stream:
Is there a way to turn off the rule or exclude this address from Suricata?
Sure, on the ALERTS tab in Suricata find the alerting rule in question (match the SID under the SID column). Click the red X in the GID:SID column to disable that rule and remove it from the active rules list.
Also, did you manually add the IP getting blocked to a Pass List? If so, did you then do these two additional steps?
- Go to the INTERFACE SETTINGS tab for the appropriate interface and choose the newly created Pass List in the Pass List drop-down selector and save the change.
- Return to the INTERFACES tab and restart Suricata on the interface where you changed the assigned Pass List.
-
@bmeeks said in Losing IPCamLive Stream:
@overcon said in Losing IPCamLive Stream:
Is there a way to turn off the rule or exclude this address from Suricata?
Sure, on the ALERTS tab in Suricata find the alerting rule in question (match the SID under the SID column). Click the red X in the GID:SID column to disable that rule and remove it from the active rules list.
Also, did you manually add the IP getting blocked to a Pass List? If so, did you then do these two additional steps?
- Go to the INTERFACE SETTINGS tab for the appropriate interface and choose the newly created Pass List in the Pass List drop-down selector and save the change.
- Return to the INTERFACES tab and restart Suricata on the interface where you changed the assigned Pass List.
I didn't do that, THANK YOU! I didn't even know you had to apply the pass list like that, so thank you so much. I just applied it, let's see if it makes a difference, I think it will.
Thanks again!
-
@overcon said in Losing IPCamLive Stream:
I didn't do that, THANK YOU! I didn't even know you had to apply the pass list like that, so thank you so much. I just applied it, let's see if it makes a difference, I think it will.
Thanks again!
The GUI is simply used to create the required text-based configuration files used by the Suricata binary. All of the actual traffic inspection, alerting, and blocking happens in the binary. The binary only reads its configuration files upon startup. So that means most configuration changes are not seen by the binary until it is restarted.
Also, in the case of custom pass lists, they must be explicitly assigned to the desired interface before they actually function. You can create an unlimited selection of pass lists, but you can only assign one at the time to an interface.