Suricate blocks Wan address.

kappen

All of the sudden suricata started blocking the wan address on my pfsence box.
I have check the DShield 1 and my network is not listed, any one else having this problem ?

ET DROP Dshield Block Listed Source group 1 - 11/28/2017-08:46:12
ET POLICY Suspicious inbound to MSSQL port 1433 - 11/28/2017-08:38:38
ET CINS Active Threat Intelligence Poor Reputation IP group 32 - 11/28/2017-08:34:56
ET CINS Active Threat Intelligence Poor Reputation IP group 89 - 11/28/2017-08:41:22
ET DROP Spamhaus DROP Listed Traffic Inbound group 4 - 11/28/2017-08:47:19

Alla the alarts for the block listed show the WAN address as destination.

bmeeks

Need some clarifcation  on your issue –

(1) Are you running in Legacy Mode or with Inline IPS Mode?

(2) When you say "block" do you literally mean your network traffic is blocked (or dropped in Inline IPS Mode), or do you mean you are just seeing alerts on the ALERTS tab?

When running in Legacy Mode, it should not be possible for your actual WAN IP address to be blocked.  There is an internal safeguard against that inside the custom Legacy Mode blocking plugin.  However, with Inline IPS Mode, that safeguard is not present.

Bill

kappen

I run legacy mode, and yes I am no longer able to reach anything on the wan side of the network.
I also tried to change the Which IP to Block from both (default) bin working fine to src but still no luck.

bmeeks

Is your WAN connection a static IP, PPPoE or DHCP?

Look in the suricata.log file on the LOGS VIEW tab.  There should be entries in there showing your WAN IP address being added to the internal whitelist.  Are those present?  Also, if you WAN IP changes, do you see messages in the same log indicating Suricata saw the change and updated its internal list.

Bill

kappen

Its dhcp from isp but it "never" changes, the one listed is the current.
24/11/2017 – 21:11:41 - <info>-- alert-pf -> adding firewall interface re1 IPv4 address 37.123.X.X to automatic interface IP Pass List.

Don't know if this might be the cause but have lost of errors like this:

28/11/2017 -- 09:21:02 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; file_data; dsize:<194; content:"BRASIL"; depth:6; content:!"Content-Length"; http_header; content:"Transfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32608; rev:1;)" from file /usr/local/etc/suricata/suricata_61075_re1/rules/suricata.rules at line 528
28/11/2017 -- 09:21:02 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
28/11/2017 -- 09:21:02 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Agent.BHHK variant outbound connection"; flow:to_server,established; dsize:136; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 6.0)|0D 0A|Host: windowsupdate.microsoft.com|0D 0A|Connection: Close|0D 0A 0D 0A|"; fast_pattern:only; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/cab1fffe7a34b5bb7dab2cacd406cf15628d835ab63502d28df78c2faeaad366/analysis/1421677054/; classtype:trojan-activity; sid:33227; rev:2;)" from file /usr/local/etc/suricata/suricata_61075_re1/rules/suricata.rules at line 563
28/11/2017 -- 09:21:02 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
28/11/2017 -- 09:21:02 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FileEncoder IP geolocation checkin attempt"; flow:to_server,established; dsize:214; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1|3B| SV1|3B| .NET4.0C|3B| .NET4.0E|3B| .NET CLR 2.0.50727|3B| .NET CLR 3.0.4506.2152|3B| .NET CLR 3.5.30729)|0D 0A|Host: ip-addr.es|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/17edf82c40df6c7268191def7cbff6e60e78d7388018408800d42581567f78cf/analysis/; classtype:trojan-activity; sid:33449; rev:1;)" from file /usr/local/etc/suricata/suricata_61075_re1/rules/suricata.rules at line 568
28/11/2017 -- 09:21:03 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
28/11/2017 -- 09:21:03 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger initial exfiltration attempt"; flow:to_server,established; content:"/gate.php"; fast_pattern:only; content:"pc="; nocase; http_client_body; content:"&admin="; distance:0; nocase; http_client_body; content:"&os="; distance:0; nocase; http_client_body; content:"&hid="; distance:0; nocase; http_client_body; content:"&arc="; distance:0; nocase; http_client_body; content:"User-Agent|3A 20|"; http_header; pcre:"/User-Agent\x3a\x20[A-F0-9]{32}\x0d\x0a/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38562; rev:2;)" from file /usr/local/etc/suricata/suricata_61075_re1/rules/suricata.rules at line 690
28/11/2017 -- 09:21:03 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_stat_code" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
28/11/2017 -- 09:21:03 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.GateKeylogger fake 404 response"; flow:to_client,established; file_data; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:">404 Not Found<"; fast_pattern:only; content:" requested URL / was not found "; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38563; rev:1;)" from file /usr/local/etc/suricata/suricata_61075_re1/rules/suricata.rules at line 691
28/11/2017 -- 09:21:41 - <info> -- 2 rule files processed. 18484 rules successfully loaded, 15 rules failed</info></error></error></error></error></error></error></error></error></error>
```</info>

bmeeks

@kappen:

Its dhcp from isp but it "never" changes, the one listed is the current.
24/11/2017 – 21:11:41 - <info>-- alert-pf -> adding firewall interface re1 IPv4 address 37.123.X.X to automatic interface IP Pass List.

Don't know if this might be the cause but have lost of errors like this:

28/11/2017 -- 09:21:02 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; file_data; dsize:<194; content:"BRASIL"; depth:6; content:!"Content-Length"; http_header; content:"Transfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32608; rev:1;)" from file /usr/local/etc/suricata/suricata_61075_re1/rules/suricata.rules at line 528
28/11/2017 -- 09:21:02 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
28/11/2017 -- 09:21:02 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Agent.BHHK variant outbound connection"; flow:to_server,established; dsize:136; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 6.0)|0D 0A|Host: windowsupdate.microsoft.com|0D 0A|Connection: Close|0D 0A 0D 0A|"; fast_pattern:only; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/cab1fffe7a34b5bb7dab2cacd406cf15628d835ab63502d28df78c2faeaad366/analysis/1421677054/; classtype:trojan-activity; sid:33227; rev:2;)" from file /usr/local/etc/suricata/suricata_61075_re1/rules/suricata.rules at line 563
28/11/2017 -- 09:21:02 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
28/11/2017 -- 09:21:02 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FileEncoder IP geolocation checkin attempt"; flow:to_server,established; dsize:214; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1|3B| SV1|3B| .NET4.0C|3B| .NET4.0E|3B| .NET CLR 2.0.50727|3B| .NET CLR 3.0.4506.2152|3B| .NET CLR 3.5.30729)|0D 0A|Host: ip-addr.es|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/17edf82c40df6c7268191def7cbff6e60e78d7388018408800d42581567f78cf/analysis/; classtype:trojan-activity; sid:33449; rev:1;)" from file /usr/local/etc/suricata/suricata_61075_re1/rules/suricata.rules at line 568
28/11/2017 -- 09:21:03 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
28/11/2017 -- 09:21:03 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger initial exfiltration attempt"; flow:to_server,established; content:"/gate.php"; fast_pattern:only; content:"pc="; nocase; http_client_body; content:"&admin="; distance:0; nocase; http_client_body; content:"&os="; distance:0; nocase; http_client_body; content:"&hid="; distance:0; nocase; http_client_body; content:"&arc="; distance:0; nocase; http_client_body; content:"User-Agent|3A 20|"; http_header; pcre:"/User-Agent\x3a\x20[A-F0-9]{32}\x0d\x0a/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38562; rev:2;)" from file /usr/local/etc/suricata/suricata_61075_re1/rules/suricata.rules at line 690
28/11/2017 -- 09:21:03 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_stat_code" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
28/11/2017 -- 09:21:03 - <error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.GateKeylogger fake 404 response"; flow:to_client,established; file_data; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:">404 Not Found<"; fast_pattern:only; content:" requested URL / was not found "; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38563; rev:1;)" from file /usr/local/etc/suricata/suricata_61075_re1/rules/suricata.rules at line 691
28/11/2017 -- 09:21:41 - <info> -- 2 rule files processed. 18484 rules successfully loaded, 15 rules failed</info></error></error></error></error></error></error></error></error></error>
```</info>

Those errors are fine and expected (especially if you also run Snort VRT rules).  Search the forum here for details.  Those errors mean Suricata does not support the syntax used in the rule because Suricata does not understand all the same rules keywords as does Snort.  Suricata just skips and does not load those rules.

What I wanted to see is a line in your log file saying –

alert-pf -> adding firewall interface %s IPv4 address %s to automatic interface IP Pass List.

The "%s" values would be replaced with the actual physical interface names and matching IP addresses for your firewall.  You should see these messages for each interface and for all the addresses (IPv4, IPv6 and Link Local) present on the interface.  Do you see any such lines in your suricata.log file?

Bill

kappen

It is there
24/11/2017 – 21:11:41 - <info>-- alert-pf -> adding firewall interface re1 IPv4 address 37.123.X.X to automatic interface IP Pass List.</info>

bmeeks

@kappen:

It is there
24/11/2017 – 21:11:41 - <info>-- alert-pf -> adding firewall interface re1 IPv4 address 37.123.X.X to automatic interface IP Pass List.</info>

With your IP address in that internal automatic pass list it should never get blocked.  That's the purpose of that automatic process.  It starts a thread that constantly monitors all the firewall interface IPs and automatically updates that internal pass list when one of the interface IPs changes.

When you get the "block" on your WAN, can you go to DIAGNOSTICS > TABLES and check the contents of the snort2c table by selecting it in the drop-down?  Is your actual WAN IP address listed among the addresses in that table?

On the BLOCKS tab, do you see your WAN IP address listed in the results?

Oh, and one more question please.  Is your hardware using an Intel CPU or is it one of the new ARM-based Netgate appliances?

I have so many questions and am seeking all these verifications because blocking of the actual WAN interface IP address should not ever happen, so I want to track down the cause in your case.

Bill

kappen

I have a intel base system. My son pulled the power to my switches and fw =( and now it works again. Ill come back if it happens again.

I could se the block for the dst and src in the blocklist log and in the result tab.

bmeeks

It should not have blocked your WAN IP, but if it does that anyway, you can manually remove the block two ways.  On the BLOCKS tab you can clear individual or all blocks.  Under DIAGNOSTICS > TABLES from the pfSense menu select the snort2c table in the table name drop-down and clear its contents.  That will remove all blocks inserted by Suricata.

I also recommend folks go to the GLOBAL SETTINGS tab and set the "clear blocks" interval to something 1 hour or less.  That way a cron job will run at that interval and remove blocks that have seen no action during the configured interval.

In your case I'm guessing the power loss and subsequent reboot of your firewall cleared out the snort2c table since that table lives in RAM only.  Blocks from Suricata or Snort are automatically cleared when the firewall reboots.

Bill