Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata 4.1.4_2 not blocking hosts

    Scheduled Pinned Locked Moved IDS/IPS
    49 Posts 7 Posters 8.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bmeeksB
      bmeeks @bose301s
      last edited by bmeeks

      @bose301s: and one last question, is the "Which IP to Block" setting on the INTERFACE SETTINGS tab set to BOTH, or DST or SRC? BOTH is the default.

      Edit: Oh, and you do not have Block on Drops only set do you? If so, have you changed your rule actions to DROP from their default of ALERT?

      Just checking all the obvious things first.

      B 1 Reply Last reply Reply Quote 0
      • B
        bose301s @bmeeks
        last edited by bose301s

        @bmeeks said in Suricata 4.1.4_2 not blocking hosts:

        @bose301s: and one last question, is the "Which IP to Block" setting on the INTERFACE SETTINGS tab set to BOTH, or DST or SRC? BOTH is the default.

        Edit: Oh, and you do not have Block on Drops only set do you? If so, have you changed your rule actions to DROP from their default of ALERT?

        Just checking all the obvious things first.

        The which IP to block is set to BOTH and I did not change it to Block on Drops.

        bmeeksB 1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks @bose301s
          last edited by bmeeks

          @bose301s:
          Okay. I will look into this again. It very well may be related to a bug fix I did to correct a problem with Suricata failing to start on interfaces with a /31 subnet mask.

          So that I can test with the exact same IP configuration, will you PM me the IP address and subnet mask for your WAN link? If it is what I suspect, then certain types of IP subnets may trigger the problem, and using yours can help me locate it. You can do that using the Chat icon at the top right corner of this page.

          B 1 Reply Last reply Reply Quote 0
          • R
            ryan_g
            last edited by

            I am having the identical problem with 4.1.4_3 after updating. I have not tried rebuilding the entire router but wiping Suricata and reinstalling/re-configuring has not made a difference. Alerts are showing properly, just no blocks. I will message my IP if that helps.

            bmeeksB 1 Reply Last reply Reply Quote 0
            • B
              bose301s @bmeeks
              last edited by

              @bmeeks said in Suricata 4.1.4_2 not blocking hosts:

              @bose301s:
              Okay. I will look into this again. It very well may be related to a bug fix I did to correct a problem with Suricata failing to start on interfaces with a /31 subnet mask.

              So that I can test with the exact same IP configuration, will you PM me the IP address and subnet mask for your WAN link? If it is what I suspect, then certain types of IP subnets may trigger the problem, and using yours can help me locate it. You can do that using the Chat icon at the top right corner of this page.

              I am really new to pfSense, do you need my public IP and the Subnet?

              bmeeksB 1 Reply Last reply Reply Quote 0
              • J
                jchud
                last edited by

                I recently upgrade to 4.1.4_3 and am having the same issue where it is alerting but not blocking. And when I tried rebooting my pfsense box this morning it failed to properly come back up, displaying a ton of errors to the console. Just got done rebuilding me entire pfsense box and still having the same issue.

                bmeeksB 1 Reply Last reply Reply Quote 1
                • bmeeksB
                  bmeeks @ryan_g
                  last edited by

                  @ryan_g : I received your info. Thanks. Will look into this problem. I am pretty sure I introduced it by fixing another issue reported on Redmine with /31 point-to-point subnets.

                  1 Reply Last reply Reply Quote 0
                  • bmeeksB
                    bmeeks @jchud
                    last edited by

                    @jchud said in Suricata 4.1.4_2 not blocking hosts:

                    I recently upgrade to 4.1.4_3 and am having the same issue where it is alerting but not blocking. And when I tried rebooting my pfsense box this morning it failed to properly come back up, displaying a ton of errors to the console. Just got done rebuilding me entire pfsense box and still having the same issue.

                    I suspect this is a common problem, and likely one I inadvertenly introduced while fixing another reported bug. I will get this one fixed.

                    1 Reply Last reply Reply Quote 0
                    • bmeeksB
                      bmeeks @bose301s
                      last edited by

                      @bose301s said in Suricata 4.1.4_2 not blocking hosts:

                      @bmeeks said in Suricata 4.1.4_2 not blocking hosts:

                      @bose301s:
                      Okay. I will look into this again. It very well may be related to a bug fix I did to correct a problem with Suricata failing to start on interfaces with a /31 subnet mask.

                      So that I can test with the exact same IP configuration, will you PM me the IP address and subnet mask for your WAN link? If it is what I suspect, then certain types of IP subnets may trigger the problem, and using yours can help me locate it. You can do that using the Chat icon at the top right corner of this page.

                      I am really new to pfSense, do you need my public IP and the Subnet?

                      See my PM reply to you. Was away for a while and replied to your post after it was 5 hours old.

                      1 Reply Last reply Reply Quote 0
                      • bmeeksB
                        bmeeks
                        last edited by

                        To anyone else experiencing this issue of the latest Suricata package not blocking hosts when Legacy Mode blocking is enabled, I am aware and looking into the fix. Pretty sure this is a side effect from fixing another different bug. The issue is within the custom blocking plugin I wrote for Suricata, so I will have to patch and then submit an updated Suricata binary to correct the problem.

                        1 Reply Last reply Reply Quote 2
                        • bmeeksB
                          bmeeks
                          last edited by

                          The fix for this bug is posted for the pfSense team to review and merge. I've asked them to expedite this one, so keep checking for a new Suricata package to show up in PACKAGE MANAGER either later today or early tomorrow.

                          The pull request for the fix is here: https://github.com/pfsense/FreeBSD-ports/pull/652.

                          1 Reply Last reply Reply Quote 0
                          • J
                            jchud
                            last edited by

                            Just got the update installed, so thanks for fixing things. I do want to mention though that just like when I rebuilt everything from scratch it did not automatically start on my WAN interface but did on my LAN and when I go look up the rules it tells me the app-layer-event.rules can not be found or something. On the bright side at least its blocking again.

                            bmeeksB 1 Reply Last reply Reply Quote 0
                            • bmeeksB
                              bmeeks @jchud
                              last edited by

                              @jchud said in Suricata 4.1.4_2 not blocking hosts:

                              Just got the update installed, so thanks for fixing things. I do want to mention though that just like when I rebuilt everything from scratch it did not automatically start on my WAN interface but did on my LAN and when I go look up the rules it tells me the app-layer-event.rules can not be found or something. On the bright side at least its blocking again.

                              There is a fix for that in the update, but unfortunately you don't get the fixed file in effect until after you install the update. By that point the old file has already messed up your install. You can fix your problem by doing what I just wrote in the Release Notes here. Delete the Suricata package and then install it again. That will restore the missing app-layer-events.rules and other events rules files.

                              J 1 Reply Last reply Reply Quote 0
                              • J
                                jchud @bmeeks
                                last edited by

                                @bmeeks Alright did an uninstall followed by a reinstall and it got rid of the app-layer-event.rule thing. The only thing that it still did was not autostart on my WAN interface like it did on my LAN, any idea how to correct that?

                                bmeeksB 1 Reply Last reply Reply Quote 0
                                • bmeeksB
                                  bmeeks @jchud
                                  last edited by bmeeks

                                  @jchud said in Suricata 4.1.4_2 not blocking hosts:

                                  @bmeeks Alright did an uninstall followed by a reinstall and it got rid of the app-layer-event.rule thing. The only thing that it still did was not autostart on my WAN interface like it did on my LAN, any idea how to correct that?

                                  There should be a message in the suricata.log file for the interface. It can also take Suricata a little time to start on an interface if you have lots of rules enabled. That little icon on the INTERFACES tab will show a spinning gear if Suricata is still starting for an interface. If you see just the red X (for stopped), then check the log file to see what's up. And just one more thing: don't use the Service Watchdog package with Suricata or Snort. You haven't said you are, but I just mention it because several folks have done that and it leads to issues.

                                  J 1 Reply Last reply Reply Quote 0
                                  • J
                                    jchud @bmeeks
                                    last edited by

                                    @bmeeks Well unfortunately I do not have a copy of the log prior to me starting it manually, but I will check next I reboot or something. Though speaking about that log I did notice that while it is blocking I still get a few entries (like when it wasn't) saying "<Warning> -- [ERRCODE: SC_WARN_UNCOMMON(230)] - alert-pf -> Firewall interface IP change notification thread received an invalid IP address via kernel routing message socket.", "<Error> -- [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - Argument "tree" NULL", and some about IP address on the interface being changed. Also as far as I know I am not using the Service Watchdog package.

                                    bmeeksB 1 Reply Last reply Reply Quote 0
                                    • bmeeksB
                                      bmeeks @jchud
                                      last edited by bmeeks

                                      @jchud said in Suricata 4.1.4_2 not blocking hosts:

                                      @bmeeks Well unfortunately I do not have a copy of the log prior to me starting it manually, but I will check next I reboot or something. Though speaking about that log I did notice that while it is blocking I still get a few entries (like when it wasn't) saying "<Warning> -- [ERRCODE: SC_WARN_UNCOMMON(230)] - alert-pf -> Firewall interface IP change notification thread received an invalid IP address via kernel routing message socket.", "<Error> -- [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - Argument "tree" NULL", and some about IP address on the interface being changed. Also as far as I know I am not using the Service Watchdog package.

                                      Are you sure you got the updated binary? Those errors were the old bug manifesting itself. That can't happen in the fixed binary. Did you delete the Suricata package entirely and then install it again? If not, do it this way ---

                                      1. Go to the PACKAGE MANAGER tab, and on the Installed Packages tab click the trash icon beside the Suricata package to remove it from the firewall. It will take serveral seconds to uninstall. Let it finished and DO NOT leave the page until you get a green status bar saying removal succeeded.

                                      2. Click the Available Packages tab, locate Suricata in the list, and install it again. Pay careful attention to the dependency packages listed underneath the Suricata entry. You should a line that says suricata-4.1.4_2. If you see suricata-4.1.4_1 or older, then the new binary is not yet posted. This might be the case if you have a Netgate appliance as firmware and package updates for those may be delayed a day or so.

                                      J 1 Reply Last reply Reply Quote 0
                                      • J
                                        jchud @bmeeks
                                        last edited by

                                        @bmeeks At first I just did an in place upgrade, then I did a uninstall and reinstall to get rid of that app-layer-event.rule thing. As things stand right now it says I have version 4.1.4_4 installed and it lists 4.1.4_2 as a dependency. I am happy to do another uninstall/reinstall if you think it will make a difference?

                                        bmeeksB 1 Reply Last reply Reply Quote 0
                                        • bmeeksB
                                          bmeeks @jchud
                                          last edited by bmeeks

                                          @jchud said in Suricata 4.1.4_2 not blocking hosts:

                                          @bmeeks At first I just did an in place upgrade, then I did a uninstall and reinstall to get rid of that app-layer-event.rule thing. As things stand right now it says I have version 4.1.4_4 installed and it lists 4.1.4_2 as a dependency. I am happy to do another uninstall/reinstall if you think it will make a difference?

                                          You should not be getting those error messages in your suricata.log, especially the one about "Argument 'tree' NULL". Are you sure those are in the current log? Stop and restart Suricata again and see if the message reappears.

                                          If they do, then open a CLI session on the firewall and run this command at a shell prompt:

                                          suricata -V
                                          

                                          That will print the current Suricata binary version. See what it says.

                                          J 1 Reply Last reply Reply Quote 0
                                          • J
                                            jchud @bmeeks
                                            last edited by

                                            @bmeeks The only thing I noted when I stopped the service from the homepage is that it still showed as if it were running even though it had stopped on both the interface. When I restarted the service again the WAN didn't automatically start but the LAN did. And the log for the when did not contain any of those errors after the I started it back up again. Lastly when running the command you mention it tells me I am running version 4.1.4.

                                            bmeeksB 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.