Suricata not monitoring VIP

SteveITS

When experimenting with Suricata (2.1.5 on pfSense 2.2.3), I found that it does not include firewall VIP addresses.  When I view the "default" Home Net list I see:

10.15.55.1/32 (WAN gateway)
10.15.55.42/32 (WAN IP)
10.99.99.0/24 (LAN subnet)
127.0.0.1/32
::1/128
fe80::204:5aff:fe62:1a38/128
fe80::250:70ff:fef5:21f2/128

10.15.55.43/32, a WAN interface VIP that NATs inside to the LAN, is missing from the list, and is generating no alerts.  I can create a pass list to add it but I didn't think this would be intentional behavior. Especially since it's picking up others like the IPv6 addresses where this router doesn't have IPv6 enabled.

bmeeks

Thanks for the report.  I will look into this problem.  It likely affects the Snort package as well since they share identical code in the PASS LIST area.

Bill

SteveITS

No problem.  One minor oddity is that if I add 10.15.55.43/32 to the pass list firewall alias, it shows in the popup as "10.15.55.43" with no /32 mask.  Probably doesn't matter but it is different.

bmeeks

@teamits:

No problem.  One minor oddity is that if I add 10.15.55.43/32 to the pass list firewall alias, it shows in the popup as "10.15.55.43" with no /32 mask.  Probably doesn't matter but it is different.

The list you see in the popup is generated on-the-fly by calling some PHP code.  So I will look at that code to see why the mask length is missing.  It really should not matter, though.  Suricata and Snort are generally smart enough to figure it out.

Bill

bmeeks

@teamits:

When experimenting with Suricata (2.1.5 on pfSense 2.2.3), I found that it does not include firewall VIP addresses.  When I view the "default" Home Net list I see:

10.15.55.1/32 (WAN gateway)
10.15.55.42/32 (WAN IP)
10.99.99.0/24 (LAN subnet)
127.0.0.1/32
::1/128
fe80::204:5aff:fe62:1a38/128
fe80::250:70ff:fef5:21f2/128

10.15.55.43/32, a WAN interface VIP that NATs inside to the LAN, is missing from the list, and is generating no alerts.  I can create a pass list to add it but I didn't think this would be intentional behavior. Especially since it's picking up others like the IPv6 addresses where this router doesn't have IPv6 enabled.

Can you post some details about how you configured the VIP that is not showing up?  A screenshot of the page showing its configuration would be helpful, or else tell me which TYPE of virtual IP you chose.  I tried to duplicate the bug and was unable.  Suricata on my test virtual machine is seeing the Virtual IP I created and including it in the HOME_NET and PASS LIST views.  I used the TYPE of "IP Alias".

Bill

SteveITS

Sorry for not clarifying.  We have a Proxy ARP VIP.  WAN interface, single address of  10.15.55.43.

NAT outbound is using "Manual Outbound NAT rule generation (AON - Advanced Outbound NAT)" with:
interface: WAN
source: (lan IP)
port/destination/dest. port: *
NAT address:  10.15.55.43 (the WAN IP)

We then have port forwards inward from 10.15.55.43 to the LAN IP.

BBcan177

I have one installation with Snort where I use a VIP for WAN2.

This VIP traffic is picked up by Snort using my WAN interface, so I don't think you need to monitor the VIP individually.

If you run an 'ifconfig' you will see the VIP details in one of your real interfaces configuration and that is the Interface that you will need to monitor with the IDS/IPS.

SteveITS

We started getting alerts for the .43 address when I added it to the home net.

ifconfig does not show the .43 address.

bmeeks

@teamits:

Sorry for not clarifying.  We have a Proxy ARP VIP.  WAN interface, single address of  10.15.55.43.

NAT outbound is using "Manual Outbound NAT rule generation (AON - Advanced Outbound NAT)" with:
interface: WAN
source: (lan IP)
port/destination/dest. port: *
NAT address:  10.15.55.43 (the WAN IP)

We then have port forwards inward from 10.15.55.43 to the LAN IP.

Thanks for the extra details.  I will see about testing using a Proxy ARP virtual IP.  Might be something different in the way pfSense is reporting it via the system call used by the Suricata and Snort packages.

UPDATE: I was able to reproduce the issue.  It is specific to Proxy ARP virtual IPs.  I'm working on a fix and will incorporate it into the upcoming Suricata GUI package update.  The same issue exists in the Snort package, and I will fix it after the Suricata fix is posted.

Bill

killmasta93

Dont want to dig this up again but i have posted on a few times about VIP for snort or suricata, Have not heard any updates since but would it be possible to only monitor the VIP?

Thank you