No Alerts using Suricata inline mode.
-
The errors are normal when running Snort rules. There are a few Snort rule options and keywords that Suricata does not recognize, and the errors are showing you which Snort rules are giving problems and being ignored. Those rules won't be loaded, so they can't be the cause of the "no alerts" issue.
Is there anything different for your configured interfaces such as having VLANs defined on them perhaps? I'm really having a hard time figuring out what could be going on. Is the traffic part of a VPN or something? Are there any shapers or limiters configured on the interfaces?
Bill
-
Yeah, I am too. :)
No limiters, queues or shapers. Technically LAN and WAN show on the limiter tab but are not configured or enabled…pretty sure that's a default. No VPN.
This particular router has a private IP range in its WAN, and a Virtual IP. (we have another router in front of it that we use for other tenants in our building)
The WAN port is connected to a 100Base-T switch, could the em0 driver disable netmap at that speed? Traffic flows just fine in inline mode though. It's an Intel NIC in a Dell PC.
-
Suricata using Inline IPS Mode will automatically generate some PASS rules as it emulates the behavior of the default Pass List used with Legacy Mode. Those rules will be in a file named passlist.rules in this path –
/usr/local/etc/suricata/suricata__xxxxx_/rules where xxxxx will be a random UUID and the physical interface name.
Take a look in that file, or even better, post its contents back here and let me take a look. I wonder if the code is generating an automatic pass list that is too broad.
Bill
-
passlist.rules is empty in legacy mode. In inline mode it has:
pass ip 8.8.4.4/32 any <> any any (msg:"Pass List Entry - allow all traffic from/to 8.8.4.4/32"; sid:1000001;)
pass ip 10.15.55.1/32 any <> any any (msg:"Pass List Entry - allow all traffic from/to 10.15.55.1/32"; sid:1000002;)
pass ip 10.15.55.42/32 any <> any any (msg:"Pass List Entry - allow all traffic from/to 10.15.55.42/32"; sid:1000003;)
pass ip 10.15.55.43 any <> any any (msg:"Pass List Entry - allow all traffic from/to 10.15.55.43"; sid:1000004;)
pass ip 10.15.55.43/32 any <> any any (msg:"Pass List Entry - allow all traffic from/to 10.15.55.43/32"; sid:1000005;)
pass ip 10.99.99.0/24 any <> any any (msg:"Pass List Entry - allow all traffic from/to 10.99.99.0/24"; sid:1000006;)
pass ip 64.79.96.148/29 any <> any any (msg:"Pass List Entry - allow all traffic from/to 64.79.96.148/29"; sid:1000007;)
pass ip 72.35.12.0/24 any <> any any (msg:"Pass List Entry - allow all traffic from/to 72.35.12.0/24"; sid:1000008;)
pass ip 72.35.23.0/24 any <> any any (msg:"Pass List Entry - allow all traffic from/to 72.35.23.0/24"; sid:1000009;)
pass ip 74.122.194.0/25 any <> any any (msg:"Pass List Entry - allow all traffic from/to 74.122.194.0/25"; sid:1000010;)
pass ip 127.0.0.1/32 any <> any any (msg:"Pass List Entry - allow all traffic from/to 127.0.0.1/32"; sid:1000011;)
pass ip 173.165.105.46 any <> any any (msg:"Pass List Entry - allow all traffic from/to 173.165.105.46"; sid:1000012;)
pass ip 192.162.216.0/22 any <> any any (msg:"Pass List Entry - allow all traffic from/to 192.162.216.0/22"; sid:1000013;)
pass ip 208.70.128.0/21 any <> any any (msg:"Pass List Entry - allow all traffic from/to 208.70.128.0/21"; sid:1000014;)
pass ip ::1/128 any <> any any (msg:"Pass List Entry - allow all traffic from/to ::1/128"; sid:1000015;)
pass ip fe80::21b:21ff:fe24:593/128 any <> any any (msg:"Pass List Entry - allow all traffic from/to fe80::21b:21ff:fe24:593/128"; sid:1000016;)
pass ip fe80::225:64ff:feaf:8afd/128 any <> any any (msg:"Pass List Entry - allow all traffic from/to fe80::225:64ff:feaf:8afd/128"; sid:1000017;)10.15.55.0/24 is the WAN side. .42 is the WAN IP of this router and .43 is a virtual IP on WAN. The public IPs and one of the 10.15.55.43 entries are from a passlist configured in Suricata. 8.8.4.4 and 10.15.55.1 I think it picks up as DNS servers for this router. 10.99.99.0/24 is our LAN. 10.15.55.1 is the WAN gateway (building router).
Edit: Our dropsid.conf contains:
emerging-activex,emerging-attack_response,emerging-botcc.portgrouped,emerging-botcc,emerging-ciarmy,emerging-compromised,emerging-current_events,emerging-deleted,emerging-dos,emerging-exploit,emerging-games,emerging-info,emerging-malware,emerging-mobile_malware,emerging-p2p,emerging-policy,emerging-scada,emerging-scan,emerging-shellcode,emerging-tor,emerging-trojan,emerging-user_agents,emerging-web_client,emerging-web_server,emerging-worm,decoder-events,dns-events,GPLv2_community,http-events,smtp-events,tls-events -
@teamits:
passlist.rules is empty in legacy mode. In inline mode it has:
pass ip 8.8.4.4/32 any <> any any (msg:"Pass List Entry - allow all traffic from/to 8.8.4.4/32"; sid:1000001;)
pass ip 10.15.55.1/32 any <> any any (msg:"Pass List Entry - allow all traffic from/to 10.15.55.1/32"; sid:1000002;)
pass ip 10.15.55.42/32 any <> any any (msg:"Pass List Entry - allow all traffic from/to 10.15.55.42/32"; sid:1000003;)
pass ip 10.15.55.43 any <> any any (msg:"Pass List Entry - allow all traffic from/to 10.15.55.43"; sid:1000004;)
pass ip 10.15.55.43/32 any <> any any (msg:"Pass List Entry - allow all traffic from/to 10.15.55.43/32"; sid:1000005;)
pass ip 10.99.99.0/24 any <> any any (msg:"Pass List Entry - allow all traffic from/to 10.99.99.0/24"; sid:1000006;)
pass ip 64.79.96.148/29 any <> any any (msg:"Pass List Entry - allow all traffic from/to 64.79.96.148/29"; sid:1000007;)
pass ip 72.35.12.0/24 any <> any any (msg:"Pass List Entry - allow all traffic from/to 72.35.12.0/24"; sid:1000008;)
pass ip 72.35.23.0/24 any <> any any (msg:"Pass List Entry - allow all traffic from/to 72.35.23.0/24"; sid:1000009;)
pass ip 74.122.194.0/25 any <> any any (msg:"Pass List Entry - allow all traffic from/to 74.122.194.0/25"; sid:1000010;)
pass ip 127.0.0.1/32 any <> any any (msg:"Pass List Entry - allow all traffic from/to 127.0.0.1/32"; sid:1000011;)
pass ip 173.165.105.46 any <> any any (msg:"Pass List Entry - allow all traffic from/to 173.165.105.46"; sid:1000012;)
pass ip 192.162.216.0/22 any <> any any (msg:"Pass List Entry - allow all traffic from/to 192.162.216.0/22"; sid:1000013;)
pass ip 208.70.128.0/21 any <> any any (msg:"Pass List Entry - allow all traffic from/to 208.70.128.0/21"; sid:1000014;)
pass ip ::1/128 any <> any any (msg:"Pass List Entry - allow all traffic from/to ::1/128"; sid:1000015;)
pass ip fe80::21b:21ff:fe24:593/128 any <> any any (msg:"Pass List Entry - allow all traffic from/to fe80::21b:21ff:fe24:593/128"; sid:1000016;)
pass ip fe80::225:64ff:feaf:8afd/128 any <> any any (msg:"Pass List Entry - allow all traffic from/to fe80::225:64ff:feaf:8afd/128"; sid:1000017;)10.15.55.0/24 is the WAN side. .42 is the WAN IP of this router and .43 is a virtual IP on WAN. The public IPs and one of the 10.15.55.43 entries are from a passlist configured in Suricata. 8.8.4.4 and 10.15.55.1 I think it picks up as DNS servers for this router. 10.99.99.0/24 is our LAN. 10.15.55.1 is the WAN gateway (building router).
Edit: Our dropsid.conf contains:
emerging-activex,emerging-attack_response,emerging-botcc.portgrouped,emerging-botcc,emerging-ciarmy,emerging-compromised,emerging-current_events,emerging-deleted,emerging-dos,emerging-exploit,emerging-games,emerging-info,emerging-malware,emerging-mobile_malware,emerging-p2p,emerging-policy,emerging-scada,emerging-scan,emerging-shellcode,emerging-tor,emerging-trojan,emerging-user_agents,emerging-web_client,emerging-web_server,emerging-worm,decoder-events,dns-events,GPLv2_community,http-events,smtp-events,tls-eventsThe passlist.rules file is only generated and used when Inline IPS Mode is active. Legacy Mode has a completely different process.
Looking at the list I can see that my original logic was flawed in some ways. The passlist is "too inclusive". What I was trying to do was re-create the sort of "automatic pass list" process that Legacy Mode has per the request of users. But the effect with Inline IPS Mode is going to be different. This is an overly broad pass list. I should rework it to include maybe only the firewall interface IPs themselves without the network subnets. What is happening now is the pass list is way too broad and winds up telling Suricata to skip looking at a lot of stuff.
I'm going to back this change out or else completely re-think the logic. I will do that in the next update.
Bill
-
So for clarity, does the pass list set under "Networks Suricata Should Inspect and Protect"/Pass List not apply in Inline mode? Or are you saying that passlist.rules incorporates that, but works in a different way?
viewing our pass list under "Networks Suricata Should Inspect and Protect"/Pass List shows the same list:
8.8.4.4/32
10.15.55.1/32
10.15.55.42/32
10.15.55.43
10.15.55.43/32
10.99.99.0/24
64.79.96.148/29
72.35.12.0/24
72.35.23.0/24
74.122.194.0/25
127.0.0.1/32
173.165.105.46
192.162.216.0/22
208.70.128.0/21
::1/128
fe80::21b:21ff:fe24:593/128
fe80::225:64ff:feaf:8afd/128 -
@teamits:
So for clarity, does the pass list set under "Networks Suricata Should Inspect and Protect"/Pass List not apply in Inline mode? Or are you saying that passlist.rules incorporates that, but works in a different way?
viewing our pass list under "Networks Suricata Should Inspect and Protect"/Pass List shows the same list:
8.8.4.4/32
10.15.55.1/32
10.15.55.42/32
10.15.55.43
10.15.55.43/32
10.99.99.0/24
64.79.96.148/29
72.35.12.0/24
72.35.23.0/24
74.122.194.0/25
127.0.0.1/32
173.165.105.46
192.162.216.0/22
208.70.128.0/21
::1/128
fe80::21b:21ff:fe24:593/128
fe80::225:64ff:feaf:8afd/128It's a little "yes" and a little "no" … :)
You can create a Pass List now with Inline IPS Mode but the result is a bit different. With Legacy Mode, you still see alerts on Pass List IP addresses, but they never generate blocks. This is due to how the custom plugin I wrote operates in conjunction with the packet filter firewall in pfSense. Inline IPS Mode is different as it is native Suricata code (no customization). The only way to simulate a pass list like Legacy Mode uses is to generate rules for the IP addresses with PASS as the action. When Suricata is operating in Inline IPS Mode and encounters a rule with PASS as the action, it does just that -- lets the traffic pass with no inspection and no delay. This means no alerts show up for pass list traffic when using Inline IPS Mode.
The automatic pass list rules for Inline IPS Mode are to broad in that they let anything go by where the pass list IP is on either end of the connection (source or destination).
Bill
-
Hi Bill, I saw there was a new Suricata package, updated, enabled Inline mode, and am seeing alerts/blocks! Hooray!
Semi-related to this thread, since we were talking about pass lists, I noticed the Pass List setting was removed for Inline mode. We had a few external things in there like our anti-spam service and our web server cluster, that we didn't want to block. Is there still a way to accomplish that? Or just add to the suppress list as alerts happen?
Thanks,
Steve -
Never mind, I found the release notes at https://forum.pfsense.org/index.php?topic=145489.0 and even better https://forum.pfsense.org/index.php?topic=145257.msg790339 that discuss pass lists.
-
@teamits:
Never mind, I found the release notes at https://forum.pfsense.org/index.php?topic=145489.0 and even better https://forum.pfsense.org/index.php?topic=145257.msg790339 that discuss pass lists.
You can use custom PASS rules to create a pass list, but just be careful as I warned in the posts you linked. It is probably better to watch and either disable the bothersome rules, or use suppress lists and either of the "filter by IP" options that are available when you click the plus sign (+) beside the IP address columns on the ALERTS tab. Doing it that way allows a rule-by-rule tuning and even limiting that to certain hosts (IP addresses). Using a pass list is more like using a large hammer when what you really need is a jeweler's screwdriver. With a PASS rule that filters only on an address, you are potentially exposing the whitelisted host to a lot of malicious stuff.
Bill