Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Correcting "FREAK Weak Export Suite From Client" Alerts

    Scheduled Pinned Locked Moved IDS/IPS
    6 Posts 2 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      abujammy
      last edited by

      Hey all, I think I only have two more issues and only one for this sub-forum.  I really appreciate all the help so far. :)

      The majority of the alerts I'm getting from suricata now are "FREAK Weak Export Suite From Client".  Since I'm assuming that I'm the client, is that something that needs to be corrected on the pfsense box?  And if so, would that just be upgrading OpenSSL?

      1 Reply Last reply Reply Quote 0
      • bmeeksB Offline
        bmeeks
        last edited by

        What IP addresses are associated with the alerts, and are you running Suricata on the WAN or LAN?  If on the WAN and using NAT, then the only "local" IP shown will be the firewall's WAN IP.  This is because Suricata (and Snort) see inbound traffic before the NAT rules, thus the "LAN-side" IP appears as the firewall's WAN address.  If you run the IDS on the LAN, then all the local IPs will be "correct" in that you will see them in the alerts pre-NAT.

        So taking into account the info above, is one of the IP addresses displaying on the ALERTS tab for the alerts in question actually your firewall or a LAN client?

        Bill

        1 Reply Last reply Reply Quote 0
        • A Offline
          abujammy
          last edited by

          @bmeeks I currently have it running on the WAN.  I have to say that how all of these interfaces "sit" is still a point of confusion for me.  I pretty much get it when there's only one LAN/WAN but then when you throw in a WIFI interface and a VPN, it starts to get confusing as to how it's all setup.  Sorry for the tangent but I just want you to understand where I am in my education.

          In all my flipping back and forth between the firewall logs and Suricata, I never noticed that Suricata alerts never had the LAN IP as the source.  They are always the WAN IP.  So, firstly are you saying that I should be running Suricata on the LAN/WIFI/VPN interfaces instead of the WAN?  I'm guessing that way I can see where the actual FREAK vulnerable client lives?

          1 Reply Last reply Reply Quote 0
          • bmeeksB Offline
            bmeeks
            last edited by

            Yes, in a NAT situation if you run the IDS on the WAN interface, all the local IPs will just show up as the WAN IP before the NAT happens.  If you run the IDS on the LAN, then the local IPs will be correct because the IDS is seeing them pre-NAT (outbound) and post-NAT (inbound).

            Because of this, many users will run the IDS on the LAN (and any other local interfaces) instead of WAN.  In most situations this does not impact overall protection.  This is what I do on my personal firewall.  I run Snort on the LAN and my DMZ interfaces.  Just for testing purposes I run a tiny handful of IPREP type rules on the WAN.

            Bill

            1 Reply Last reply Reply Quote 0
            • A Offline
              abujammy
              last edited by

              @bmeeks thank you again.  I'm going to give this a shot and report back. :)

              1 Reply Last reply Reply Quote 0
              • A Offline
                abujammy
                last edited by

                @bmeeks this is working great and I can see now where the vulnerable client is.  Thank you.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.