[SOLVED] Suricata not blocking
-
I'm using suricata in legacy mode and I can't make it block. Alerting is working but it doesn't block.
I'm using 2.4 latest snapshot with pfBlocker and freeradius. M/B supermicro A1SRi-2558 (c2558) with 16GB ram. I've tried uninstall and install suricata, reboot and everything I could remember.
suricata log:
26/4/2017 -- 22:00:46 - <notice>-- This is Suricata version 3.2.1 RELEASE 26/4/2017 -- 22:00:46 - <info>-- CPUs/cores online: 4 26/4/2017 -- 22:00:46 - <info>-- HTTP memcap: 67108864 26/4/2017 -- 22:00:46 - <notice>-- using flow hash instead of active packets 26/4/2017 -- 22:01:00 - <info>-- 3 rule files processed. 13392 rules successfully loaded, 0 rules failed 26/4/2017 -- 22:01:00 - <info>-- 13403 signatures processed. 23 are IP-only rules, 6352 are inspecting packet payload, 9128 inspect application layer, 103 are decoder event only 26/4/2017 -- 22:07:14 - <info>-- Threshold config parsed: 0 rule(s) found 26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb0 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc58 to automatic interface IP Pass List. 26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb1 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc59 to automatic interface IP Pass List. 26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb2 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc5a to automatic interface IP Pass List. 26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb3 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc5b to automatic interface IP Pass List. 26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface lo0 IPv6 address 0000:0000:0000:0000:0000:0000:0000:0001 to automatic interface IP Pass List. 26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface lo0 IPv6 address fe80:0000:0000:0000:0000:0000:0000:0001 to automatic interface IP Pass List. 26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface lo0 IPv4 address 127.0.0.1 to automatic interface IP Pass List. 26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb1_vlan120 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc59 to automatic interface IP Pass List. 26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb1_vlan120 IPv4 address 10.1.2.1 to automatic interface IP Pass List. 26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb3_vlan300 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc5b to automatic interface IP Pass List. 26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb3_vlan300 IPv4 address 10.1.3.1 to automatic interface IP Pass List. 26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb1_vlan3 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc59 to automatic interface IP Pass List. 26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb1_vlan3 IPv4 address 192.168.50.1 to automatic interface IP Pass List. 26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb1_vlan3 IPv4 address 10.10.10.1 to automatic interface IP Pass List. 26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb1_vlan400 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc59 to automatic interface IP Pass List. 26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb1_vlan400 IPv4 address 192.168.52.1 to automatic interface IP Pass List. 26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb1_vlan500 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc59 to automatic interface IP Pass List. 26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb1_vlan500 IPv4 address 192.168.53.1 to automatic interface IP Pass List. 26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb1_vlan1 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc59 to automatic interface IP Pass List. 26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb2_vlan600 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc5a to automatic interface IP Pass List. 26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb2_vlan600 IPv4 address 192.168.54.1 to automatic interface IP Pass List. 26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb0_vlan100 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc58 to automatic interface IP Pass List. 26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb0_vlan100 IPv4 address 94.61.130.159 to automatic interface IP Pass List. 26/4/2017 -- 22:07:14 - <info>-- alert-pf output device (regular) initialized: block.log 26/4/2017 -- 22:07:14 - <info>-- Pass List /usr/local/etc/suricata/suricata_44765_igb0_vlan100/passlist parsed: 19 IP addresses loaded. 26/4/2017 -- 22:07:14 - <info>-- Created firewall interface IP change monitor thread for auto-whitelisting of firewall interface IP addresses. 26/4/2017 -- 22:07:14 - <info>-- alert-pf output initialized, pf-table=snort2c block-ip=src kill-state=on 26/4/2017 -- 22:07:14 - <error>-- [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - Unknown logger type: name=AlertPf 26/4/2017 -- 22:07:14 - <info>-- fast output device (regular) initialized: alerts.log 26/4/2017 -- 22:07:14 - <info>-- http-log output device (regular) initialized: http.log 26/4/2017 -- 22:07:14 - <info>-- Using 1 live device(s). 26/4/2017 -- 22:07:14 - <warning>-- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Name of device should not be null 26/4/2017 -- 22:07:14 - <info>-- using interface igb0_vlan100 26/4/2017 -- 22:07:14 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets. 26/4/2017 -- 22:07:14 - <info>-- Found an MTU of 1500 for 'igb0_vlan100' 26/4/2017 -- 22:07:14 - <info>-- Set snaplen to 1524 for 'igb0_vlan100' 26/4/2017 -- 22:07:14 - <info>-- using magic-file /usr/share/misc/magic 26/4/2017 -- 22:07:14 - <info>-- using magic-file /usr/share/misc/magic 26/4/2017 -- 22:07:14 - <info>-- using magic-file /usr/share/misc/magic 26/4/2017 -- 22:07:14 - <info>-- using magic-file /usr/share/misc/magic 26/4/2017 -- 22:07:14 - <info>-- RunModeIdsPcapAutoFp initialised 26/4/2017 -- 22:07:14 - <notice>-- all 5 packet processing threads, 2 management threads initialized, engine started. 26/4/2017 -- 22:07:15 - <info>-- No packets with invalid checksum, assuming checksum offloading is NOT used</info></notice></info></info></info></info></info></info></info></info></info></warning></info></info></info></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></notice></info></info></notice>
What's wrong?
-
I'm using suricata in legacy mode and I can't make it block. Alerting is working but it doesn't block.
I'm using 2.4 latest snapshot with pfBlocker and freeradius. M/B supermicro A1SRi-2558 (c2558) with 16GB ram. I've tried uninstall and install suricata, reboot and everything I could remember.
suricata log:
26/4/2017 -- 22:00:46 - <notice>-- This is Suricata version 3.2.1 RELEASE 26/4/2017 -- 22:00:46 - <info>-- CPUs/cores online: 4 26/4/2017 -- 22:00:46 - <info>-- HTTP memcap: 67108864 26/4/2017 -- 22:00:46 - <notice>-- using flow hash instead of active packets 26/4/2017 -- 22:01:00 - <info>-- 3 rule files processed. 13392 rules successfully loaded, 0 rules failed 26/4/2017 -- 22:01:00 - <info>-- 13403 signatures processed. 23 are IP-only rules, 6352 are inspecting packet payload, 9128 inspect application layer, 103 are decoder event only 26/4/2017 -- 22:07:14 - <info>-- Threshold config parsed: 0 rule(s) found 26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb0 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc58 to automatic interface IP Pass List. 26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb1 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc59 to automatic interface IP Pass List. 26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb2 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc5a to automatic interface IP Pass List. 26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb3 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc5b to automatic interface IP Pass List. 26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface lo0 IPv6 address 0000:0000:0000:0000:0000:0000:0000:0001 to automatic interface IP Pass List. 26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface lo0 IPv6 address fe80:0000:0000:0000:0000:0000:0000:0001 to automatic interface IP Pass List. 26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface lo0 IPv4 address 127.0.0.1 to automatic interface IP Pass List. 26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb1_vlan120 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc59 to automatic interface IP Pass List. 26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb1_vlan120 IPv4 address 10.1.2.1 to automatic interface IP Pass List. 26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb3_vlan300 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc5b to automatic interface IP Pass List. 26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb3_vlan300 IPv4 address 10.1.3.1 to automatic interface IP Pass List. 26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb1_vlan3 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc59 to automatic interface IP Pass List. 26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb1_vlan3 IPv4 address 192.168.50.1 to automatic interface IP Pass List. 26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb1_vlan3 IPv4 address 10.10.10.1 to automatic interface IP Pass List. 26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb1_vlan400 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc59 to automatic interface IP Pass List. 26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb1_vlan400 IPv4 address 192.168.52.1 to automatic interface IP Pass List. 26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb1_vlan500 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc59 to automatic interface IP Pass List. 26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb1_vlan500 IPv4 address 192.168.53.1 to automatic interface IP Pass List. 26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb1_vlan1 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc59 to automatic interface IP Pass List. 26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb2_vlan600 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc5a to automatic interface IP Pass List. 26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb2_vlan600 IPv4 address 192.168.54.1 to automatic interface IP Pass List. 26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb0_vlan100 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc58 to automatic interface IP Pass List. 26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb0_vlan100 IPv4 address 94.61.130.159 to automatic interface IP Pass List. 26/4/2017 -- 22:07:14 - <info>-- alert-pf output device (regular) initialized: block.log 26/4/2017 -- 22:07:14 - <info>-- Pass List /usr/local/etc/suricata/suricata_44765_igb0_vlan100/passlist parsed: 19 IP addresses loaded. 26/4/2017 -- 22:07:14 - <info>-- Created firewall interface IP change monitor thread for auto-whitelisting of firewall interface IP addresses. 26/4/2017 -- 22:07:14 - <info>-- alert-pf output initialized, pf-table=snort2c block-ip=src kill-state=on 26/4/2017 -- 22:07:14 - <error>-- [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - Unknown logger type: name=AlertPf 26/4/2017 -- 22:07:14 - <info>-- fast output device (regular) initialized: alerts.log 26/4/2017 -- 22:07:14 - <info>-- http-log output device (regular) initialized: http.log 26/4/2017 -- 22:07:14 - <info>-- Using 1 live device(s). 26/4/2017 -- 22:07:14 - <warning>-- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Name of device should not be null 26/4/2017 -- 22:07:14 - <info>-- using interface igb0_vlan100 26/4/2017 -- 22:07:14 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets. 26/4/2017 -- 22:07:14 - <info>-- Found an MTU of 1500 for 'igb0_vlan100' 26/4/2017 -- 22:07:14 - <info>-- Set snaplen to 1524 for 'igb0_vlan100' 26/4/2017 -- 22:07:14 - <info>-- using magic-file /usr/share/misc/magic 26/4/2017 -- 22:07:14 - <info>-- using magic-file /usr/share/misc/magic 26/4/2017 -- 22:07:14 - <info>-- using magic-file /usr/share/misc/magic 26/4/2017 -- 22:07:14 - <info>-- using magic-file /usr/share/misc/magic 26/4/2017 -- 22:07:14 - <info>-- RunModeIdsPcapAutoFp initialised 26/4/2017 -- 22:07:14 - <notice>-- all 5 packet processing threads, 2 management threads initialized, engine started. 26/4/2017 -- 22:07:15 - <info>-- No packets with invalid checksum, assuming checksum offloading is NOT used</info></notice></info></info></info></info></info></info></info></info></info></warning></info></info></info></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></notice></info></info></notice>
What's wrong?
Here is the likely problem – (copied from your posted log output)
26/4/2017 -- 22:07:14 - <error> -- [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - Unknown logger type: name=AlertPf</error>
I have no idea how or why you are getting this error, though. Did you perhaps accidentially install a base port of Suricata instead of the specially patched version from the pfSense repository? This error is indicative of the custom AlertPf plugin missing from the binary.UPDATE:
I found the cause. A slight change in the baseline Suricata code from upstream slipped by me during testing. That change causes the custom alert-pf blocking plugin to not get properly registered. When I tested the new 3.2.1 updated, I was rushed and only tested inline IPS mode since I was concentrating on hyperscan. I also did not expect any issues with Legacy Mode since my patch (custom plugin) applied just fine. I will work on a fix and get it posted for the pfSense team to approve and merge. This only impacts Suricata 3.2.1 users.
Bill
-
Thanks, bmeeks. I was getting crazy about it. I've searched everywhere and couldn't find an answer. I posted in the forum as a last resort to try to find a solution.
Thanks again for your work.
-
The fix for this has been posted in a Pull Request. It will be merged into 2.4-BETA shortly. I elected not to bump the binary package version, though, so as not to get out of sync with Suricata upstream. This means you won't see an updated package notice in the pfSense Package Manager GUI. So as soon as the update is merged into 2.4-BETA, I will post an update here and impacted users can simply remove the Suricata package and reinstall to pickup the fixed binary package.
My understanding from the pfSense team is that Suricata 3.2.1 (with the fixed binary) will be made available with the release of pfSense 2.3.4 and will not be backported to 2.3.3. That's the last word I had.
UPDATE:
The fix for the alert-pf custom blocking plugin used with Suricata 3.2.1 on pfSense has been merged for 2.4-BETA users. If you use Legacy Mode blocking with Suricata on a pfSense 2.4-BETA system, then you will need to remove the Suricata package and reinstall it to be sure you get the updated binary. So long as the "save settings" checkbox is checked on the GLOBAL SETTINGS tab (and the default is "checked" unless you changed it), then you won't lose any Suricata settings when you remove and reinstall.The problem with Legacy Mode blocking was caused by the alert-pf custom blocking plugin that I wrote for Suricata failing to register itself properly during startup. There have been some slight changes in the way Output Modules work in Suricata and I had not kept pace with them. I finally got bitten by my complacency … :-[. That code had worked for so long that I took for granted it would continue to work so long as my patch applied successfully to the baseline code. Turns out that was not really the case.
Bill
-
You're the man, bmeeks. Thank you again. Upgrading now.