Suricata Blocking WAN IP Address
-
What was the time stamp on those log entries? How does the time stamp on those entries match up with the time of the alert and block? Does your WAN IP address change frequently?
As a side note, that set of rules has very limited usefullness on a Home Internet connection. In your case it is almost certainly a false positive. Unless you are running a public NTP server, then you don't need that rule at all.
Bill
-
Follow up test results –
I configured a test scenario in a VMware lab environment to test if the automatic Pass List feature that prevents blocking the WAN IP address of the firewall works. I could not reproduce your issue of blocking the WAN IP. I had a pfSense firewall running Suricata configured for Legacy Mode blocking with no passlist defined (meaning there was no automatic pass list being generated). Suricata was configured to block BOTH alert IP addresses (SRC and DST).
I then scanned the WAN IP of this virtual machine from a Kali Linux host in the same subnet as the WAN IP. I got immediate blocks on the IP address of the Kali Linux host, but no blocks on the WAN IP of the firewall being scanned. There were no blocks on the firewall being scanned because the automatic WAN IP pass list feature of Suricata prevented it.
So Suricata will not block your currently active WAN IP (at least when used in the default configuration). If it would allow the WAN IP to be blocked, then my test would have resulted in an immediate block of both the Kali Linux box IP and the WAN IP of my test firewall victim. I only got blocks on the Kali Linux host's IP address.
Bill
-
I don't know…..
It just happened again.My IP address does not change at all.
Here's the most recent one.
03/17/2018
21:36:14 3 UDP Generic Protocol Command Decode 60.191.29.20
27637 70.161.x.x
80 1:2200075
SURICATA UDPv4 invalid checksum
03/17/2018
21:33:49 3 UDP Generic Protocol Command Decode 60.191.29.20
27637 70.161.x.x
53 1:2200075
SURICATA UDPv4 invalid checksumIt just happened less than 10 minutes ago. Weird.
Next time, I'll take a snapshot of the "Block" page and post it up.
bmeeks – thanks for the advice. Times all jive. and IP address has been the same all day. I appreciate you running the test. You're correct -- it should NOT happen. I am using Legacy mode, by the way.
Is there some way to "manually" add my WAN IP address to Suricata to be on the Pass List?
I broke my machine! Damn!
Thanks again,
Eboman -
Hmmm…..I might be on to something.
I just went into the Pass List section and it was completely blank. No lists at all.So I clicked "add", made sure I included all of the Auto-Generated Lists and I'll see what it does.
Now I have one list in my listnames...passlist_30503.
Fingers crossed.
Thanks again everyone. I'll let you know if this fixed it. Fun to learn something new.
Eboman
-
Ehh…come to find out there IS a default PassList. And my WAN IP address was in it -- and it was enabled under Networks Suricata Should Inspect and Protect. It was not previously sent to "none"...it was on "default".
For kicks, I'm going to change it from Default to the new Pass List I created (which is identical to the default one).
More to come....
Thanks,
Eboman -
You should not be getting those UDP checksum alerts. Go to SYSTEM > ADVANCED and then the NETWORKING tab in the pfSense menu. Scroll down to the Network Interfaces section and be sure the three checkboxes to disable Hardware Checksum Offloading, Hardware TCP Segmentation Offloading and Hardware Large Receive Offloading are checked. You want those three features disabled when using an IDS/IPS.
Even still, you should not be getting blocks from those alerts even when you receive them. Have you checked for a possible zombie Suricata process? Run this command from the CLI and be sure you see only a single instance of Suricata for each enabled interface –
ps -ax | grep suricata
If the output of that command shows any "identical lines", then kill the duplicate process or else reboot your firewall to start fresh.
Is your setup a standard LAN/WAN situation with pfSense doing all the routing and maybe just a cable modem on the WAN side? Is there anything unusual like maybe you are running in bridge mode or something?
Bill
-
Hi bmeeks,
Yes. I have all of the three checkboxes "checked" to disable the checking (did that when I set up Suricata, based on all of the guides I read).
I actually JUST now did a reset of the machine I've got pfSense running to see what the command you asked me to run would show. Here it is:
64917 - Ss 0:20.52 /usr/local/bin/suricata -i em0 -D -c /usr/local/etc/sur
72457 - Ss 0:19.25 /usr/local/bin/suricata -i em1 -D -c /usr/local/etc/sur
98399 - Ss 0:26.08 /usr/local/bin/suricata -i em1 -D -c /usr/local/etc/sur
99743 - S 0:00.00 sh -c ps -ax | grep suricata 2>&1
99923 - S 0:00.00 grep suricataAnd yes, it's a simple setup. Cable modem into WAN…..only one LAN port. Both on Intel Cards.
Thanks again for helping me with this.
Eboman
-
Weird.
Rebooted again and this is what I got:64582 - Ss 0:22.10 /usr/local/bin/suricata -i em0 -D -c /usr/local/etc/suri
67499 - Ss 0:22.15 /usr/local/bin/suricata -i em1 -D -c /usr/local/etc/suri
94199 - S 0:00.00 sh -c ps -ax | grep suricata 2>&1
94789 - S 0:00.00 grep suricataNo blocks since I changed from default to the custom pass list though.
-
Son of a gun.
It happened again. While I was in the shower. Nobody else home (not that it would make a difference).Came out of the shower to a text message and no Netflix.
I attached a screen shot.
I ran the command again but got the same result.
1391 - S 0:00.00 sh -c ps -ax | grep suricata 2>&1
1580 - S 0:00.00 grep suricata
64582 - Ss 2:49.60 /usr/local/bin/suricata -i em0 -D -c /usr/local/etc/su
67499 - Ss 2:59.49 /usr/local/bin/suricata -i em1 -D -c /usr/local/etc/suSo evidently, my "custom" pass list doesn't help any.
I'm starting to get bummed out.
Eboman
-
Going to disable "live-swap" of rules.
At this point…I'm going through every tab to see if I missed something.Bill,
Do you have a link to any IPS testing websites I could try to use to test different settings? Basically, I want to manually generate an Alert, instead of waiting for one to "happen".
I used to have one bookmarked years ago...the first time I started playing with firewall stuff.Thanks!
Eboman -
I think I "might" be on to something.
Here's the Suricata log that just now was generated (when I changed the setting, I manually stopped Suricata on the WAN Interface and restarted it:
18/3/2018 – 22:39:39 - <info>-- Threshold config parsed: 31 rule(s) found
18/3/2018 -- 22:39:39 - <info>-- 26443 signatures processed. 1190 are IP-only rules, 6677 are inspecting packet payload, 15956 inspect application layer, 100 are decoder event only
18/3/2018 -- 22:39:49 - <info>-- alert-pf -> adding firewall interface em0 IPv6 address xxx to automatic interface IP Pass List.
18/3/2018 – 22:39:49 - <info>-- alert-pf -> adding firewall interface em0 IPv4 address 70.161.x.x to automatic interface IP Pass List.</info>
18/3/2018 – 22:39:49 - <info>-- alert-pf -> adding firewall interface em1 IPv6 address xxx to automatic interface IP Pass List.
18/3/2018 -- 22:39:49 - <info>-- alert-pf -> adding firewall interface em1 IPv4 address 192.168.1.1 to automatic interface IP Pass List.
18/3/2018 -- 22:39:49 - <info>-- alert-pf -> adding firewall interface lo0 IPv6 address 0000:0000:0000:0000:0000:0000:0000:0001 to automatic interface IP Pass List.
18/3/2018 -- 22:39:49 - <info>-- alert-pf -> adding firewall interface lo0 IPv6 address fe80:0000:0000:0000:0000:0000:0000:0001 to automatic interface IP Pass List.
18/3/2018 -- 22:39:49 - <info>-- alert-pf -> adding firewall interface lo0 IPv4 address 127.0.0.1 to automatic interface IP Pass List.
18/3/2018 -- 22:39:49 - <info>-- alert-pf -> adding firewall interface em1.2 IPv6 address xxx to automatic interface IP Pass List.
18/3/2018 -- 22:39:49 - <info>-- alert-pf output device (regular) initialized: block.log
18/3/2018 -- 22:39:49 - <info>-- Pass List /usr/local/etc/suricata/suricata_28752_em0/passlist parsed: 14 IP addresses loaded.
18/3/2018 -- 22:39:49 - <info>-- Created firewall interface IP change monitor thread for auto-whitelisting of firewall interface IP addresses.
18/3/2018 -- 22:39:49 - <info>-- alert-pf output initialized, pf-table=snort2c block-ip=both kill-state=on block-drops-only=off
18/3/2018 -- 22:39:49 - <info>-- fast output device (regular) initialized: alerts.log
18/3/2018 -- 22:39:49 - <info>-- http-log output device (regular) initialized: http.log
18/3/2018 -- 22:39:49 - <info>-- Using 1 live device(s).
18/3/2018 -- 22:39:49 - <info>-- using interface em0
18/3/2018 -- 22:39:49 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
18/3/2018 -- 22:39:49 - <info>-- Found an MTU of 1500 for 'em0'
18/3/2018 -- 22:39:49 - <info>-- Set snaplen to 1524 for 'em0'
18/3/2018 -- 22:39:49 - <info>-- RunModeIdsPcapAutoFp initialised
18/3/2018 -- 22:39:49 - <notice>-- all 3 packet processing threads, 2 management threads initialized, engine started.
18/3/2018 -- 22:40:01 - <info>-- No packets with invalid checksum, assuming checksum offloading is NOT usedHere's the previous one…from earlier, when I rebooted the machine (notice something missing?):
18/3/2018 – 19:03:33 - <info>-- Threshold config parsed: 31 rule(s) found
18/3/2018 -- 19:03:33 - <info>-- 26588 signatures processed. 1190 are IP-only rules, 6703 are inspecting packet payload, 16086 inspect application layer, 100 are decoder event only
18/3/2018 -- 19:03:48 - <info>-- alert-pf -> adding firewall interface em0 IPv6 address xxx to automatic interface IP Pass List.
18/3/2018 -- 19:03:48 - <info>-- alert-pf -> adding firewall interface em1 IPv6 address xxx to automatic interface IP Pass List.
18/3/2018 -- 19:03:48 - <info>-- alert-pf -> adding firewall interface em1 IPv4 address 192.168.1.1 to automatic interface IP Pass List.
18/3/2018 -- 19:03:48 - <info>-- alert-pf -> adding firewall interface lo0 IPv6 address 0000:0000:0000:0000:0000:0000:0000:0001 to automatic interface IP Pass List.
18/3/2018 -- 19:03:48 - <info>-- alert-pf -> adding firewall interface lo0 IPv6 address fe80:0000:0000:0000:0000:0000:0000:0001 to automatic interface IP Pass List.
18/3/2018 -- 19:03:48 - <info>-- alert-pf -> adding firewall interface lo0 IPv4 address 127.0.0.1 to automatic interface IP Pass List.
18/3/2018 -- 19:03:48 - <info>-- alert-pf -> adding firewall interface em1.2 IPv6 address xxx to automatic interface IP Pass List.
18/3/2018 -- 19:03:48 - <info>-- alert-pf output device (regular) initialized: block.log
18/3/2018 -- 19:03:48 - <info>-- Pass List /usr/local/etc/suricata/suricata_28752_em0/passlist parsed: 10 IP addresses loaded.
18/3/2018 -- 19:03:48 - <info>-- Created firewall interface IP change monitor thread for auto-whitelisting of firewall interface IP addresses.
18/3/2018 -- 19:03:48 - <info>-- alert-pf output initialized, pf-table=snort2c block-ip=both kill-state=on block-drops-only=off
18/3/2018 -- 19:03:48 - <info>-- fast output device (regular) initialized: alerts.log
18/3/2018 -- 19:03:48 - <info>-- http-log output device (regular) initialized: http.log
18/3/2018 -- 19:03:48 - <info>-- Using 1 live device(s).
18/3/2018 -- 19:03:48 - <info>-- using interface em0
18/3/2018 -- 19:03:48 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
18/3/2018 -- 19:03:48 - <info>-- Found an MTU of 1500 for 'em0'
18/3/2018 -- 19:03:48 - <info>-- Set snaplen to 1524 for 'em0'
18/3/2018 -- 19:03:48 - <info>-- RunModeIdsPcapAutoFp initialised
18/3/2018 -- 19:03:48 - <notice>-- all 3 packet processing threads, 2 management threads initialized, engine started.
18/3/2018 -- 19:05:27 - <info>-- No packets with invalid checksum, assuming checksum offloading is NOT usedI'm guessing that since it's already in the "pass list" the WAN IP address should not be getting blocked, unless the "pass list" automatically clears itself and regenerates with the new data every time the system is restarted.
At the moment, everything is working as it should. I've been generating Alerts, but it's not blocking the WAN IP address. I don't know if it's because I turned off the "live swap" option. I don't think so, since I haven't updated rules recently. I have a funny feeling it's because THIS time starting up, Suricata recognized my WAN IP address.
Many times, when I turn on the pfSense machine, I have to "reboot" my cable modem to get a WAN IP address. It's been like that forever (going back to 2 different ASUS routers….ALWAYS had to reboot the modem to get an WAN IP address after rebooting the Router). I assumed the Created firewall interface IP change monitor thread for auto-whitelisting of firewall interface IP addresses was to monitor for changes.
Bill,
Do you think I'm on to something here?Thanks!
Eboman</info></notice></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></notice></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info> -
Yes, this last scenario you posted would be the source of your WAN IP blocks. Suricata is starting up and not finding your WAN IP active. It does create a thread to monitor for IP address changes on all active firewall interfaces, so later, when your WAN IP comes up it should get added to the list automatically and you should see a log entry for it. Maybe that is not happening in your case, though.
I suggest putting your cable modem and pfSense box both on the same UPS, and then never turn either of them off. Powering your pfSense box up and down should not be necessary unless you are making a hardware change, or it needs to reboot to install an update. I have my system configured as described: both the cable modem and pfSense firewall are on the same UPS and they never get powered off. Always on.
Bill
-
Fantastic!!!
Thanks again for all of the help Bill.
I had recently taken my pfSense build out of a little tower case and stuck it in a rack-mount case and got a nice cabinet to keep it all in (switches/patch panel/PDU/etc). Of course, every time I moved something, I had to power-down everything and do my little modem trick (which would explain why it only recently started blocking the WAN IP). However, it's FINALLY all together and all on one UPS for modem/pfSense (using apcupsd which is nice). SmartUPS is on the Windows 2016 Server/switches/etc.
Mystery solved. I thought I was going crazy! hahaha!! It was one of those "it can't possibly be happening…but IS happening" scenarios that we all love so much.
Thanks again,
Eboman