Suricata Not Blocking legacy mode
-
@everfree said in Suricata Not Blocking legacy mode:
I use Legacy Mode block for 2 years, it works, i can't sure what version let the problem occurred.
I only say the version have bug, I hope you check by check, I have bad English, I don't know give you more details. Dst is not have any block icon in block mode, it's strange. I have two suricata IPS, it have the same problem. one is 2 years before, others is the new machine.
thanks.
Ming-Chang Cheng.
Looking at your last screen capture, it appears to me that you have blocking set to SRC IP only. I say that because you have the red X "unblock" icon showing for Source IP addresses that are not in your large Pass List network (I recall you said 163.22.0.0/16 was in your Pass List). For all of the ET MALWARE and ET MOBILE_MALWARE rules I see in your screen capture, the SRC IP is in your Pass List, so no block. However, for one of the ET WEB_SERVER rules (the last one shown), the SRC IP was 202.166.50.169 and that IP is showing as currently blocked (it has the red X icon).
I will fire up my test virtual machine again and double-check that blocking of DST IP addresses works.
-
yes, 202.166.50.169 is like ET-SCAN, it's inbound direction rules, ET-Trojan is outbound direction rules, I very sure block mode i select block both , so i don't know why 158.85.63.185 and others dst is not blocked.
-
@everfree said in Suricata Not Blocking legacy mode:
yes, 202.166.50.169 is like ET-SCAN, it's inbound direction rules, ET-Trojan is outbound direction rules, I very sure block mode i select block both , so id don't know why 158.85.63.185 and others dst is not blocked.
Go to the LOGS VIEW tab and select the interface where you posted the screen captures from. I assume it is maybe your WAN interface. If not, use whatever interface the earlier posted screen capture is from.
Open the
suricata.logfile and find this line:20/8/2019 -- 21:54:37 - <Info> -- alert-pf output initialized, pf-table=snort2c block-ip=both kill-state=on block-drops-only=offThis will display the startup cofiguration of the custom alert-pf blocking plugin. Post back here with what it says. The line above is from my test virtual machine with Suricata installed on it.
-
I just got these blocks in my test virtual machine. Notice that it blocked the DST IP on the WAN. The IP shown happens to be the Link-Local IP, but it was the destination address of the packet that triggered the rule. I am in the U.S. Eastern Time Zone, so my dates and times are obviously different than yours (by an entire day almost).
and here is the BLOCKS tab showing that blocked destination IP address along with the source IP.
So from this I have to conclude the code is working as it should. There has to be something astray in your configuration that you are overlooking.
-
20/8/2019 -- 13:15:06 - <Info> -- alert-pf output initialized, pf-table=snort2c block-ip=both kill-state=on block-drops-only=off -
@everfree said in Suricata Not Blocking legacy mode:
20/8/2019 -- 13:15:06 - <Info> -- alert-pf output initialized, pf-table=snort2c block-ip=both kill-state=on block-drops-only=offHave you modified anything in your HOME_NET or EXTERNAL_NET variables? Have you checked for any duplicate Suricata processes? I would certainly first check for a duplicate process using this shell command:
ps -ax | grep suricataYou should see only a single running instance of Suricata for each configured interface. If you see any duplicate processes, you need to stop all Suricata processes in the GUI, open a command-line shell and repeat the above command to see if any Suricata process is still running. If you see one, kill it with this shell command:
kill -9 <pid>where <pid> is the process ID of the remaining Suricata process. At this point I don't know what else to suggest. The Suricata code is working for me, and I installed it fresh on this VMware virtual machine this morning (it is now 10:12 PM in the evening here). As you can see in my screen shots, the blocking is working for both directions (source and destination IPs). There is nothing in Suricata that would change simply based on the rules category.
-
@bmeeks If i don't select any passlist, My IPS show the same screen.
-
@everfree said in Suricata Not Blocking legacy mode:
@bmeeks If i don't select any passlist, My IPS show the same screen.
Just making sure you realize that anytime you change the Pass List or the blocking mode, you must restart Suricata on that interface in order for the change to become effective. Suricata only reads its configuration at startup. It does not "live update" any configuration setting. The only "live update" it can do is reload the rules.
-
And just to be complete, my virtual machine just recorded these IPv4 DST IP blocks:
login-to-view
So it's not just IPv6 addresses that block, the IPv4 addresses are blocking as well. Since Legacy Mode puts the interface in promiscuous mode, it is seeing all of my local LAN traffic on the VM's WAN interface because the WAN of this virtual machine is connected to my LAN. -
when i remove my passlist, it show below...
login-to-viewlogin-to-view
login-to-view -
@everfree said in Suricata Not Blocking legacy mode:
when i remove my passlist, it show below...
login-to-viewlogin-to-viewThen your Pass List is too broad. It is whitelisting more IP address space than you think. The default Pass List will include your WAN IP address (just the actual IP, not the whole subnet), your LAN subnet, your DNS server IPs (if defined on the firewall setup), your WAN gateway IP, any VPN addresses and any Virtual IP addresses.
You need to examine the actual contents of the Pass List you had assigned to see what's up. I suspect a subnet is defined too large and is thus adding a lot of extra unintended IP space to the Pass List. Click the View List button beside Pass List to see what addresses are in the default list, then assign your custom Pass List and click View List for it to see what's different.
I think your last screen shot proves what I said several posts earlier. Your configuration is not exactly how you believed it to be. In this case, I suspect your Pass List is overly broad and thus whitelisting a large chunk of IP space (and therefore you get no blocks on those IPs as is proper when an IP address is covered by a Pass List entry).
-
-
@everfree said in Suricata Not Blocking legacy mode:
I modify my passlist it only
127.0.0.1/32 163.22.0.0/16 ::1/128login-to-view
it still not works.Post the content of your Pass List. Assign it on the INTERFACE SETTINGS tab and then click the View List button. Paste the content of that modal dialog back here to the forum. Better yet, post the content of both the default list and your custom list so we can examine the differences.
Since it works when you set the Pass List to "default", that means the underlying binary code works fine. Something is incorrect within your custom Pass List. At least that is the best theory I have.
-
login-to-view
NTCT_HOME127.0.0.1/32 163.22.0.0/16 ::1/128default
!127.0.0.1/32 !163.22.0.0/16 !::1/128 -
@everfree said in Suricata Not Blocking legacy mode:
login-to-view
NTCT_HOME127.0.0.1/32 163.22.0.0/16 ::1/128default
!127.0.0.1/32 !163.22.0.0/16 !::1/128Those values appear incorrect for the "default" Pass List. That appears to be the content of your EXTERNAL_NET variable perhaps and not the Pass List. The default Pass List would never contain the negation (!) symbol. However, the default definition of EXTERNAL_NET would contain the negation symbol.
The default Pass List should contain your WAN IP address with a /32 netmask, your WAN gateway IP with a /32 netmask, and the IP address or addresses of any DNS servers you have configured on the General Setup screen of pfSense.
-
So the next step what can i do??
The default Pass List should contain your WAN IP address with a /32 netmask, your WAN gateway IP with a /32 netmask, and the IP address or addresses of any DNS servers you have configured on the General Setup screen of pfSense.the default list i uncheck WAN IP and gateway
-
@everfree said in Suricata Not Blocking legacy mode:
So the next step what can i do??
If what you posted is actually your Pass List (and default Pass List) content, then you have a seriously messed up
config.xmlfile section for the Suricata package. Either that, or you posted the wrong information. -
@everfree said in Suricata Not Blocking legacy mode:
So the next step what can i do??
The default Pass List should contain your WAN IP address with a /32 netmask, your WAN gateway IP with a /32 netmask, and the IP address or addresses of any DNS servers you have configured on the General Setup screen of pfSense.the default list i uncheck WAN IP and gateway
You really should not do that. In fact, there is seldom any reason to modify the default values of a Pass List. The only useful modification is to add additional address space to the list using the alias option at the bottom of the edit dialog. There is really no good reason to remove an IP from the default Pass List.
Change you Pass List back to "default" and don't bother it. Why would you want to Suricata to block your WAN gateway IP anyway? That would totally kill all connectivity for your box. Same thing with your DNS servers.
-
default
!8.8.4.4/32 !8.8.8.8/32 !127.0.0.1/32 !163.22.0.0/16 !163.22.49.26/32 !163.22.49.28/32 !163.22.168.0/24 !168.95.1.1/32 !168.95.192.1/32 !::1/128 !fe80::21b:21ff:fe94:dc94/128 !fe80::21b:21ff:fe94:dc95/128 !fe80::f603:43ff:fe5c:88b4/128 -
@everfree said in Suricata Not Blocking legacy mode:
default
!8.8.4.4/32 !8.8.8.8/32 !127.0.0.1/32 !163.22.0.0/16 !163.22.49.26/32 !163.22.49.28/32 !163.22.168.0/24 !168.95.1.1/32 !168.95.192.1/32 !::1/128 !fe80::21b:21ff:fe94:dc94/128 !fe80::21b:21ff:fe94:dc95/128 !fe80::f603:43ff:fe5c:88b4/128If that is your PASS LIST, then it is completely wrong. Pass Lists should NEVER contain the negation symbol (that exclamation point means "not in this IP range"). So basically that list would tell Suricata to never block on any IP address unless it was within the range listed. In effect, with the ! negation symbol, your Pass List is backwards.
I really can't believe this is the content of your default Pass List. It looks instead to be the content of maybe your default EXTERNAL_NET list. Are you absolutely positive you are clicking the correct View List button immediately to the right of the Pass List drop-down selector?