Suricata 4.1.4_2 not blocking hosts

bmeeks

@bose301s: and one last question, is the "Which IP to Block" setting on the INTERFACE SETTINGS tab set to BOTH, or DST or SRC? BOTH is the default.

Edit: Oh, and you do not have Block on Drops only set do you? If so, have you changed your rule actions to DROP from their default of ALERT?

Just checking all the obvious things first.

bose301s

@bmeeks said in Suricata 4.1.4_2 not blocking hosts:

@bose301s: and one last question, is the "Which IP to Block" setting on the INTERFACE SETTINGS tab set to BOTH, or DST or SRC? BOTH is the default.

Edit: Oh, and you do not have Block on Drops only set do you? If so, have you changed your rule actions to DROP from their default of ALERT?

Just checking all the obvious things first.

The which IP to block is set to BOTH and I did not change it to Block on Drops.

bmeeks

@bose301s:
Okay. I will look into this again. It very well may be related to a bug fix I did to correct a problem with Suricata failing to start on interfaces with a /31 subnet mask.

So that I can test with the exact same IP configuration, will you PM me the IP address and subnet mask for your WAN link? If it is what I suspect, then certain types of IP subnets may trigger the problem, and using yours can help me locate it. You can do that using the Chat icon at the top right corner of this page.

ryan_g

I am having the identical problem with 4.1.4_3 after updating. I have not tried rebuilding the entire router but wiping Suricata and reinstalling/re-configuring has not made a difference. Alerts are showing properly, just no blocks. I will message my IP if that helps.

bose301s

@bmeeks said in Suricata 4.1.4_2 not blocking hosts:

@bose301s:
Okay. I will look into this again. It very well may be related to a bug fix I did to correct a problem with Suricata failing to start on interfaces with a /31 subnet mask.

So that I can test with the exact same IP configuration, will you PM me the IP address and subnet mask for your WAN link? If it is what I suspect, then certain types of IP subnets may trigger the problem, and using yours can help me locate it. You can do that using the Chat icon at the top right corner of this page.

I am really new to pfSense, do you need my public IP and the Subnet?

jchud

I recently upgrade to 4.1.4_3 and am having the same issue where it is alerting but not blocking. And when I tried rebooting my pfsense box this morning it failed to properly come back up, displaying a ton of errors to the console. Just got done rebuilding me entire pfsense box and still having the same issue.

bmeeks

@ryan_g : I received your info. Thanks. Will look into this problem. I am pretty sure I introduced it by fixing another issue reported on Redmine with /31 point-to-point subnets.

bmeeks

@jchud said in Suricata 4.1.4_2 not blocking hosts:

I recently upgrade to 4.1.4_3 and am having the same issue where it is alerting but not blocking. And when I tried rebooting my pfsense box this morning it failed to properly come back up, displaying a ton of errors to the console. Just got done rebuilding me entire pfsense box and still having the same issue.

I suspect this is a common problem, and likely one I inadvertenly introduced while fixing another reported bug. I will get this one fixed.

bmeeks

@bose301s said in Suricata 4.1.4_2 not blocking hosts:

@bmeeks said in Suricata 4.1.4_2 not blocking hosts:

@bose301s:
Okay. I will look into this again. It very well may be related to a bug fix I did to correct a problem with Suricata failing to start on interfaces with a /31 subnet mask.

So that I can test with the exact same IP configuration, will you PM me the IP address and subnet mask for your WAN link? If it is what I suspect, then certain types of IP subnets may trigger the problem, and using yours can help me locate it. You can do that using the Chat icon at the top right corner of this page.

I am really new to pfSense, do you need my public IP and the Subnet?

See my PM reply to you. Was away for a while and replied to your post after it was 5 hours old.

bmeeks

To anyone else experiencing this issue of the latest Suricata package not blocking hosts when Legacy Mode blocking is enabled, I am aware and looking into the fix. Pretty sure this is a side effect from fixing another different bug. The issue is within the custom blocking plugin I wrote for Suricata, so I will have to patch and then submit an updated Suricata binary to correct the problem.

bmeeks

The fix for this bug is posted for the pfSense team to review and merge. I've asked them to expedite this one, so keep checking for a new Suricata package to show up in PACKAGE MANAGER either later today or early tomorrow.

The pull request for the fix is here: https://github.com/pfsense/FreeBSD-ports/pull/652.

jchud

Just got the update installed, so thanks for fixing things. I do want to mention though that just like when I rebuilt everything from scratch it did not automatically start on my WAN interface but did on my LAN and when I go look up the rules it tells me the app-layer-event.rules can not be found or something. On the bright side at least its blocking again.

bmeeks

@jchud said in Suricata 4.1.4_2 not blocking hosts:

Just got the update installed, so thanks for fixing things. I do want to mention though that just like when I rebuilt everything from scratch it did not automatically start on my WAN interface but did on my LAN and when I go look up the rules it tells me the app-layer-event.rules can not be found or something. On the bright side at least its blocking again.

There is a fix for that in the update, but unfortunately you don't get the fixed file in effect until after you install the update. By that point the old file has already messed up your install. You can fix your problem by doing what I just wrote in the Release Notes here. Delete the Suricata package and then install it again. That will restore the missing app-layer-events.rules and other events rules files.

jchud

@bmeeks Alright did an uninstall followed by a reinstall and it got rid of the app-layer-event.rule thing. The only thing that it still did was not autostart on my WAN interface like it did on my LAN, any idea how to correct that?

bmeeks

@jchud said in Suricata 4.1.4_2 not blocking hosts:

@bmeeks Alright did an uninstall followed by a reinstall and it got rid of the app-layer-event.rule thing. The only thing that it still did was not autostart on my WAN interface like it did on my LAN, any idea how to correct that?

There should be a message in the suricata.log file for the interface. It can also take Suricata a little time to start on an interface if you have lots of rules enabled. That little icon on the INTERFACES tab will show a spinning gear if Suricata is still starting for an interface. If you see just the red X (for stopped), then check the log file to see what's up. And just one more thing: don't use the Service Watchdog package with Suricata or Snort. You haven't said you are, but I just mention it because several folks have done that and it leads to issues.

jchud

@bmeeks Well unfortunately I do not have a copy of the log prior to me starting it manually, but I will check next I reboot or something. Though speaking about that log I did notice that while it is blocking I still get a few entries (like when it wasn't) saying "<Warning> -- [ERRCODE: SC_WARN_UNCOMMON(230)] - alert-pf -> Firewall interface IP change notification thread received an invalid IP address via kernel routing message socket.", "<Error> -- [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - Argument "tree" NULL", and some about IP address on the interface being changed. Also as far as I know I am not using the Service Watchdog package.

bmeeks

@jchud said in Suricata 4.1.4_2 not blocking hosts:

@bmeeks Well unfortunately I do not have a copy of the log prior to me starting it manually, but I will check next I reboot or something. Though speaking about that log I did notice that while it is blocking I still get a few entries (like when it wasn't) saying "<Warning> -- [ERRCODE: SC_WARN_UNCOMMON(230)] - alert-pf -> Firewall interface IP change notification thread received an invalid IP address via kernel routing message socket.", "<Error> -- [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - Argument "tree" NULL", and some about IP address on the interface being changed. Also as far as I know I am not using the Service Watchdog package.

Are you sure you got the updated binary? Those errors were the old bug manifesting itself. That can't happen in the fixed binary. Did you delete the Suricata package entirely and then install it again? If not, do it this way ---

1. Go to the PACKAGE MANAGER tab, and on the Installed Packages tab click the trash icon beside the Suricata package to remove it from the firewall. It will take serveral seconds to uninstall. Let it finished and DO NOT leave the page until you get a green status bar saying removal succeeded.

2. Click the Available Packages tab, locate Suricata in the list, and install it again. Pay careful attention to the dependency packages listed underneath the Suricata entry. You should a line that says suricata-4.1.4_2. If you see suricata-4.1.4_1 or older, then the new binary is not yet posted. This might be the case if you have a Netgate appliance as firmware and package updates for those may be delayed a day or so.

jchud

@bmeeks At first I just did an in place upgrade, then I did a uninstall and reinstall to get rid of that app-layer-event.rule thing. As things stand right now it says I have version 4.1.4_4 installed and it lists 4.1.4_2 as a dependency. I am happy to do another uninstall/reinstall if you think it will make a difference?

bmeeks

@jchud said in Suricata 4.1.4_2 not blocking hosts:

@bmeeks At first I just did an in place upgrade, then I did a uninstall and reinstall to get rid of that app-layer-event.rule thing. As things stand right now it says I have version 4.1.4_4 installed and it lists 4.1.4_2 as a dependency. I am happy to do another uninstall/reinstall if you think it will make a difference?

You should not be getting those error messages in your suricata.log, especially the one about "Argument 'tree' NULL". Are you sure those are in the current log? Stop and restart Suricata again and see if the message reappears.

If they do, then open a CLI session on the firewall and run this command at a shell prompt:

suricata -V

That will print the current Suricata binary version. See what it says.

jchud

@bmeeks The only thing I noted when I stopped the service from the homepage is that it still showed as if it were running even though it had stopped on both the interface. When I restarted the service again the WAN didn't automatically start but the LAN did. And the log for the when did not contain any of those errors after the I started it back up again. Lastly when running the command you mention it tells me I am running version 4.1.4.