Suricata Constantly Blocking CrashPlan

FlashPan · Mar 17, 2017, 10:32 AM

Hello all,

Hope you can advise me on how to resolve this issue?

Been running CrashPlan for over a year now for my offiste backup. All has been relatively ok but over the last few weeks Suricata has taken a quite a disliking to CrashPlan connecting into my lan or the CrashPlan app from communicating out.

Rightly or wrongly I have been using the suppression list to get around issues like this for similar issues. Where suppression fails on me here is that CrashPlan uses an unknown but large amount of external IP addresses to connect with. The app itself uses port 4242 and 443 from what I can see. So I am constantly playing catchup in adding more IPs to the suppression list. I now consider this is the wrong way to go?

What I am not clear on though now is how to stop Suricata from blocking connections coming in or out and without opening up any further holes?

Below are some snippets from Suricata logs. I tried to keep it small but wanted to hopefully give a good spectrum of data.

I'd be really greatful for help/advice here please as I keep having to get up in the middle of the night to unblock and I'm already not much of a mornign person as it is :P

Thanks and cheers in advance

Suppression:

#SURICATA TLS error message encountered
suppress gen_id 1, sig_id 2230009, track by_dst, ip 216.17.8.3

#SURICATA TLS error message encountered
suppress gen_id 1, sig_id 2230009, track by_dst, ip 216.17.8.55

#SURICATA TLS error message encountered
suppress gen_id 1, sig_id 2230009, track by_dst, ip 216.17.8.11

#SURICATA TLS error message encountered
suppress gen_id 1, sig_id 2230009, track by_dst, ip 216.17.8.4

#SURICATA TLS error message encountered
suppress gen_id 1, sig_id 2230009, track by_dst, ip 216.17.8.48

#SURICATA TLS error message encountered
suppress gen_id 1, sig_id 2230009, track by_dst, ip 216.17.8.8

#SURICATA TLS error message encountered
suppress gen_id 1, sig_id 2230009, track by_dst, ip 216.17.8.51

#SURICATA TLS error message encountered
suppress gen_id 1, sig_id 2230009, track by_dst, ip 216.17.8.7

#SURICATA TLS error message encountered
suppress gen_id 1, sig_id 2230009, track by_src, ip 216.17.8.48

#SURICATA TLS error message encountered
suppress gen_id 1, sig_id 2230009, track by_src, ip 216.17.8.3

#SURICATA TLS error message encountered
suppress gen_id 1, sig_id 2230009, track by_src, ip 216.17.8.8

#SURICATA TLS error message encountered
suppress gen_id 1, sig_id 2230009, track by_src, ip 216.17.8.4

#SURICATA TLS error message encountered
suppress gen_id 1, sig_id 2230009, track by_src, ip 216.17.8.52

#SURICATA TLS error message encountered
suppress gen_id 1, sig_id 2230009, track by_dst, ip 216.17.8.52

#SURICATA TLS error message encountered
suppress gen_id 1, sig_id 2230009, track by_src, ip 216.17.8.55

#SURICATA TLS error message encountered
suppress gen_id 1, sig_id 2230009, track by_src, ip 216.17.8.11

#SURICATA TLS error message encountered
suppress gen_id 1, sig_id 2230009, track by_dst, ip 216.17.8.47

#SURICATA TLS error message encountered
suppress gen_id 1, sig_id 2230009, track by_src, ip 216.17.8.51

#SURICATA TLS error message encountered
suppress gen_id 1, sig_id 2230009, track by_src, ip 216.17.8.47

#SURICATA TLS invalid record/traffic
suppress gen_id 1, sig_id 2230010, track by_dst, ip 216.17.8.3

#SURICATA TLS invalid record/traffic
suppress gen_id 1, sig_id 2230010, track by_dst, ip 216.17.8.55

#SURICATA TLS invalid record/traffic
suppress gen_id 1, sig_id 2230010, track by_dst, ip 216.17.8.4

#SURICATA TLS invalid record/traffic
suppress gen_id 1, sig_id 2230010, track by_dst, ip 216.17.8.7

#SURICATA TLS invalid record/traffic
suppress gen_id 1, sig_id 2230010, track by_src, ip 216.17.8.4

#SURICATA TLS invalid record/traffic
suppress gen_id 1, sig_id 2230010, track by_src, ip 216.17.8.3

#SURICATA TLS invalid record/traffic
suppress gen_id 1, sig_id 2230010, track by_src, ip 216.17.8.55

#SURICATA TLS invalid record version
suppress gen_id 1, sig_id 2230015, track by_dst, ip 216.17.8.3

#SURICATA TLS invalid record version
suppress gen_id 1, sig_id 2230015, track by_dst, ip 216.17.8.55

#SURICATA TLS invalid record version
suppress gen_id 1, sig_id 2230015, track by_dst, ip 216.17.8.7

#SURICATA TLS invalid record version
suppress gen_id 1, sig_id 2230015, track by_src, ip 216.17.8.4

#SURICATA TLS invalid record version
suppress gen_id 1, sig_id 2230015, track by_src, ip 216.17.8.3

#SURICATA TLS invalid record version
suppress gen_id 1, sig_id 2230015, track by_src, ip 216.17.8.55

#SURICATA TLS invalid record version
suppress gen_id 1, sig_id 2230015, track by_dst, ip 216.17.8.4

WAN Alerts:

03/16/2017-01:19:02.205793 [] [1:2230010:1] SURICATA TLS invalid record/traffic [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.5:23978 -> 216.17.8.52:443
03/16/2017-01:19:02.205793 [] [1:2230015:1] SURICATA TLS invalid record version [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.5:23978 -> 216.17.8.52:443
03/16/2017-01:19:02.237723 [] [1:2230010:1] SURICATA TLS invalid record/traffic [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 216.17.8.52:443 -> 192.168.0.5:23978
03/16/2017-01:19:02.237723 [] [1:2230015:1] SURICATA TLS invalid record version [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 216.17.8.52:443 -> 192.168.0.5:23978
03/16/2017-08:51:55.016449 [] [1:2230010:1] SURICATA TLS invalid record/traffic [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 216.17.8.3:443 -> 192.168.0.5:26383
03/16/2017-08:51:55.016449 [] [1:2230015:1] SURICATA TLS invalid record version [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 216.17.8.3:443 -> 192.168.0.5:26383
03/17/2017-01:18:55.804511 [] [1:2230010:1] SURICATA TLS invalid record/traffic [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 216.17.8.3:443 -> 192.168.0.5:56469
03/17/2017-01:18:55.804511 [] [1:2230015:1] SURICATA TLS invalid record version [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 216.17.8.3:443 -> 192.168.0.5:56469
03/17/2017-02:18:50.018256 [] [1:2230009:1] SURICATA TLS error message encountered [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 216.17.8.7:443 -> 192.168.0.5:62537
03/17/2017-08:40:14.849100 [] [1:2230009:1] SURICATA TLS error message encountered [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.0.5:22090 -> 216.17.8.47:443
03/17/2017-08:40:14.893494 [] [1:2230009:1] SURICATA TLS error message encountered [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 162.222.43.6:443 -> 192.168.0.5:57301
03/17/2017-08:40:14.994476 [] [1:2230009:1] SURICATA TLS error message encountered [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 216.17.8.47:443 -> 192.168.0.5:22090
03/17/2017-08:40:31.118310 [] [1:2230009:1] SURICATA TLS error message encountered [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 216.17.8.51:443 -> 192.168.0.5:43761
03/17/2017-08:51:43.006017 [] [1:2230010:1] SURICATA TLS invalid record/traffic [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 216.17.8.55:443 -> 192.168.0.5:10172
03/17/2017-08:51:43.006017 [] [1:2230015:1] SURICATA TLS invalid record version [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 216.17.8.55:443 -> 192.168.0.5:10172

WAN Block:

03/14/2017-01:18:36.076546 [Block Dst] [] [1:2230009:1] SURICATA TLS error message encountered [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 216.17.8.51:443
03/14/2017-17:16:07.206589 [Block Dst] [] [1:2230009:1] SURICATA TLS error message encountered [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 216.17.8.52:443
03/14/2017-17:48:10.985595 [Block Dst] [] [1:2230009:1] SURICATA TLS error message encountered [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 216.17.8.3:443
03/14/2017-17:56:39.663824 [Block Dst] [] [1:2230009:1] SURICATA TLS error message encountered [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 216.17.8.11:443
03/14/2017-17:58:26.031379 [Block Src] [] [1:2230009:1] SURICATA TLS error message encountered [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 216.17.8.3:443
03/14/2017-17:58:28.021865 [Block Src] [] [1:2230009:1] SURICATA TLS error message encountered [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 216.17.8.55:443
03/14/2017-17:59:38.675132 [Block Src] [] [1:2230009:1] SURICATA TLS error message encountered [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 216.17.8.11:443
03/14/2017-18:01:56.487209 [Block Src] [] [1:2230009:1] SURICATA TLS error message encountered [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 216.17.8.48:443
03/14/2017-19:03:29.013503 [Block Src] [] [1:2230009:1] SURICATA TLS error message encountered [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 216.17.8.4:443
03/15/2017-18:09:36.952139 [Block Src] [] [1:2230009:1] SURICATA TLS error message encountered [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 216.17.8.3:443
03/15/2017-18:12:20.012655 [Block Src] [] [1:2230009:1] SURICATA TLS error message encountered [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 216.17.8.8:443
03/15/2017-18:12:22.036761 [Block Src] [] [1:2230009:1] SURICATA TLS error message encountered [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 216.17.8.51:443
03/15/2017-18:13:34.629215 [Block Dst] [] [1:2230010:1] SURICATA TLS invalid record/traffic [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 216.17.8.4:443
03/15/2017-18:13:44.715504 [Block Src] [] [1:2230009:1] SURICATA TLS error message encountered [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 216.17.8.48:443
03/15/2017-18:14:23.796080 [Block Src] [] [1:2230009:1] SURICATA TLS error message encountered [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 216.17.8.4:443
03/15/2017-18:15:47.598091 [Block Dst] [] [1:2230009:1] SURICATA TLS error message encountered [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 216.17.8.7:443
03/15/2017-18:18:25.643242 [Block Src] [] [1:2230009:1] SURICATA TLS error message encountered [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 216.17.8.48:443
03/16/2017-01:19:02.205793 [Block Dst] [] [1:2230010:1] SURICATA TLS invalid record/traffic [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 216.17.8.52:443
03/16/2017-08:51:55.016449 [Block Src] [] [1:2230010:1] SURICATA TLS invalid record/traffic [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 216.17.8.3:443

doktornotor · Mar 17, 2017, 5:15 PM

Disable the offending broken rule.

mind12 · Mar 17, 2017, 8:27 PM

Summarize the Crashplan IP-s (216.17.8.0/24) and create two (track src and dst) custom suppress rule.

FlashPan · Mar 18, 2017, 8:39 AM

Thanks mind12,

So do you mean to create this?

#SURICATA TLS error message encountered
suppress gen_id 1, sig_id 2230009, track by_src, ip 216.17.8.0/24

#SURICATA TLS invalid record/traffic
suppress gen_id 1, sig_id 2230009, track by_dst, ip 216.17.8.0/24

Cheers

mind12 · Mar 18, 2017, 9:53 AM

@FlashPan:

Thanks mind12,

So do you mean to create this?

#SURICATA TLS error message encountered
suppress gen_id 1, sig_id 2230009, track by_src, ip 216.17.8.0/24

#SURICATA TLS invalid record/traffic
suppress gen_id 1, sig_id 2230009, track by_dst, ip 216.17.8.0/24

Cheers

Yes exactly, however there were more sig_ids in your logs.

#SURICATA TLS error message encountered
suppress gen_id 1, sig_id 2230009, track by_dst, ip 216.17.8.0/24

#SURICATA TLS error message encountered
suppress gen_id 1, sig_id 2230009, track by_src, ip 216.17.8.0/24

#SURICATA TLS invalid record/traffic
suppress gen_id 1, sig_id 2230010, track by_dst, ip 216.17.8.0/24

#SURICATA TLS invalid record/traffic
suppress gen_id 1, sig_id 2230010, track by_src, ip 216.17.8.0/24

#SURICATA TLS invalid record version
suppress gen_id 1, sig_id 2230015, track by_dst, ip 216.17.8.0/24

#SURICATA TLS invalid record version
suppress gen_id 1, sig_id 2230015, track by_src, ip 216.17.8.0/24

FlashPan · Mar 18, 2017, 9:59 AM

Yep, I thought that as well thanks mind12 :)

Implemented this now.