Suricata Deleting Blocklists on Reboot??
-
For some reason when I reboot my box, Suricata always deletes my hard earned block lists. Is there a reason for this? I'd assume so, but I'd prefer that it restore my block lists.
I can obviously download the list and then import it into an alias list, but at that point I lose the "only keep this IP for 7 days" or whatever that Suricata provides.
Am I missing an option somewhere?
Thanks in advance!
-
There's no way to track things like "only keep this IP for 7 days" across reboots. The pf table info is lost. It's not like IDS is even doing any job here after adding IP to the table. The rest is
/usr/bin/nice -n20 /sbin/pfctl -q -t snort2c -T expire <block_interval></block_interval>
being run from cron every 5 minutes.
-
@doktornotor is right on target. Once the IDS detects what it thinks is nefarious traffic, it simply sends the IP address of the offender to the pfSense firewall and says "block this IP". The IDS does this by adding the IP to an alias table called <snort2c>in the packet filter. At that point the IDS no longer has any responsibility for the IP. It is in the hands of the firewall's packet filter. When the firewall is rebooted, all alias tables are recreated empty of IP addresses. This means anything the IDS formerly inserted is lost.
This is not really a huge problem because if the offender comes along again, the IDS will detect it and insert the offender's IP back into the <snort2c>table.
As @doktornotor pointed out, there is a cron job that runs on a 5-minute interval to clear out the block table. It "expires" blocks that are older than the interval selected by the user. However, even the "NEVER" interval is ignored when the firewall is rebooted. This is because the underlying table holding the blocked IPs is lost and then recreated.
Bill</snort2c></snort2c>
-
Just a note - i've been contemplating - how about having some earlyshutdowncmd hook somewhere, to save similar volatile info like the tables, and restore it after reboot (e.g. using (early)shellcmd, that packages can hook into. Would be useful for other packages as well (pfBNG), definitely even more useful on nano where /var if flushed as well.
Hmmm… who volunteers to write the code? :P
-
Awesome! Thank guys, that helps me understand a lot!
@doktornotor yeah, I think it'd be nice upon reboot to maybe save the blocklist in
/usr/pbi/suricata-amd64/local/etc/suricata/blocklists
or something with a timestamp. Then if you wanted to keep them it'd be as easy as creating a Alias URL table to point to that file.