Suricata blocking IPs that are on the passlist
-
The ip's are not shown in any log's or matching any rules. Pc's, chromebooks show page can't be displayed. Android phones will load the app but no data. I did a dig to get the ip's. Legacy mode. 2.4.5-p1 and 2.5.0DEV.
-
If the IP addresses are not showing in any of Suricata's logs, then there is a near 100% chance Suricata is not doing the blocking -- or else you are interpreting something incorrectly.
What shows on the BLOCKS tab in Suricata?
What alerts are showing on the ALERTS tab in Suricata?
Did you correctly configure a Pass List AND properly assign that Pass List on the INTERFACE SETTINGS tab for the interface? Did you restart Suricata after doing this step?
Do you have prior experience with administering an IDS/IPS? If not, you really do not need to enable blocking mode until you gain experience and understand how to tune your rules. An IDS/IPS is not the same as an anti-virus client. You can't just turn it on and forget about it.
Are any other packages such as pfBlockerNG running on your firewall? What about Squid or SquidGuard?
-
@bmeeks said in Suricata blocking IPs that are on the passlist:
If the IP addresses are not showing in any of Suricata's logs, then there is a near 100% chance Suricata is not doing the blocking -- or else you are interpreting something incorrectly.
If I stop the service I am able to reach the site (reddit.com) and use the appWhat shows on the BLOCKS tab in Suricata?
What alerts are showing on the ALERTS tab in Suricata?
What would be the best way to present the files?Did you correctly configure a Pass List AND properly assign that Pass List on the INTERFACE >SETTINGS tab for the interface?
I created an alias under FirewallAliasesIP it is on the WAN interface
Did you restart Suricata after doing this step?
YesDo you have prior experience with administering an IDS/IPS? If not, you really do not need to enable blocking mode until you gain experience and understand how to tune your rules. An IDS/IPS is not the same as an anti-virus client. You can't just turn it on and forget about it.
I have none, I lookup what the rule means and is description. If something breaks I use google to find the answer, but this time I am not able to figure it out.Are any other packages such as pfBlockerNG running on your firewall?
No
What about Squid or SquidGuard?
NoThank you for your time.
-
Are the IP addresses you say are being blocked listed on the ALERTS tab for the interface where Suricata is running?
This statement is confusing:
I created an alias under FirewallAliasesIP it is on the WAN interface
That is not how you create a Pass List. You create Pass Lists on the PASS LIST tab of Suricata. Now you can add one existing firewall alias to a Pass List when creating or editing the list. Is that what you did? Once you created a Pass List, did you go back to the INTERFACE SETTINGS tab for your WAN Suricata instance and select the Pass List you created in the drop-down selector under the Pass List section? You must do that, save that change, and then restart Suricata. By the way, Snort works exactly the same way.
Also you say stopping the service stops the blocks. That makes no sense either because stopping Suricata does not remove any IP blocks it has inserted while running. You did say you were running using Legacy Mode. In that mode Suricata sends the IP addresses to be blocked to the firewall and the firewall keeps them in an internal table called snort2c until either the firewall is rebooted, the user manually clears the block using the button on the BLOCKS tab, or the periodic blocked IP cleanup job runs (if it is enabled). Simply stopping the Suricata service does not remove existing blocks unless Suricata is running in Inline IPS Mode.
-
@bmeeks said in Suricata blocking IPs that are on the passlist:
Are the IP addresses you say are being blocked listed on the ALERTS tab for the interface where Suricata is running?
No they are not, also not listed in any of the log's
This statement is confusing:
I created an alias under FirewallAliasesIP it is on the WAN interface
That is not how you create a Pass List. You create Pass Lists on the PASS LIST tab of Suricata. Now you can add one existing firewall alias to a Pass List when creating or editing the list. Is that what you did?
Yes
Once you created a Pass List, did you go back to the INTERFACE SETTINGS tab for your WAN Suricata instance and select the Pass List you created in the drop-down selector under the Pass List section? You must do that, save that change, and then restart Suricata. By the way, Snort works exactly the same way.Also you say stopping the service stops the blocks. That makes no sense either because stopping Suricata does not remove any IP blocks it has inserted while running. You did say you were running using Legacy Mode. In that mode Suricata sends the IP addresses to be blocked to the firewall and the firewall keeps them in an internal table called snort2c until either the firewall is rebooted, the user manually clears the block using the button on the BLOCKS tab, or the periodic blocked IP cleanup job runs (if it is enabled). Simply stopping the Suricata service does not remove existing blocks unless Suricata is running in Inline IPS Mode.
I understand what you are saying. I can't get to reddit while its running and i did check it is in legacy mode. As soon as it stops I can access the site and use the app.
One one odd thing, I can ping and tracert to the site with no problems.
-
@ELMcDonald said in Suricata blocking IPs that are on the passlist:
No they are not, also not listed in any of the log's
Then if the IP is not listed in an alert showing on the ALERTS tab, Suricata is not the cause. It is not possible for Suricata to block without showing the IP in an alert and on the BLOCKS tab. Just for info, blocked IPs are never shown anywhere in the pfSense system log nor in the
suricata.log
. So don't look for them there. Look on the ALERTS and BLOCKS tabs. IPs from triggered rules only show up on the ALERTS tab or the BLOCKS tab.I understand what you are saying. I can't get to reddit while its running and i did check it is in legacy mode. As soon as it stops I can access the site and use the app.
One one odd thing, I can ping and tracert to the site with no problems.
These statements prove to me that Suricata is not your problem (if you are actually using Legacy Mode). Suricata blocks everything for an IP once it blocks. That includes all ports and all protocols. So nothing would work for a given IP if Suricata is actually doing the blocking, so the tracert and ping would fail. This is especially the case in Legacy Mode. It is impossible within the code for Suricata in Legacy Mode to block just one protocol for an IP.
I don't mean to be rude, but your description of the issue leads to me to believe you need much more experience with an IDS before you put it in blocking mode. Go to the INTERFACE SETTINGS tab (for your WAN, since you said you are running Suricata on the WAN) and uncheck the box for Block Offenders. Save the change and restart Suricata. See how things work then. If everything works fine, then that indicates you have a lot of learning to do with regards to how to operate and utilize the Suricata package.
The things you have described as happening to you thus far do not follow logically based on other information you are giving to my questions. To be blunt, it can't be working exactly as you describe. The code just does not work that way. Perhaps you are not describing things correctly when answering my specific questions.
-
@bmeeks said in Suricata blocking IPs that are on the passlist:
@ELMcDonald said in Suricata blocking IPs that are on the passlist:
No they are not, also not listed in any of the log's
Then if the IP is not listed in an alert showing on the ALERTS tab, Suricata is not the cause. It is not possible for Suricata to block without showing the IP in an alert and on the BLOCKS tab. Just for info, blocked IPs are never shown anywhere in the pfSense system log nor in the
suricata.log
. So don't look for them there. Look on the ALERTS and BLOCKS tabs. IPs from triggered rules only show up on the ALERTS tab or the BLOCKS tab.I understand what you are saying. I can't get to reddit while its running and i did check it is in legacy mode. As soon as it stops I can access the site and use the app.
One one odd thing, I can ping and tracert to the site with no problems.
These statements prove to me that Suricata is not your problem (if you are actually using Legacy Mode). Suricata blocks everything for an IP once it blocks. That includes all ports and all protocols. So nothing would work for a given IP if Suricata is actually doing the blocking, so the tracert and ping would fail. This is especially the case in Legacy Mode. It is impossible within the code for Suricata in Legacy Mode to block just one protocol for an IP.
I don't mean to be rude, but your description of the issue leads to me to believe you need much more experience with an IDS before you put it in blocking mode. Go to the INTERFACE SETTINGS tab (for your WAN, since you said you are running Suricata on the WAN) and uncheck the box for Block Offenders. Save the change and restart Suricata. See how things work then. If everything works fine, then that indicates you have a lot of learning to do with regards to how to operate and utilize the Suricata package.
The things you have described as happening to you thus far do not follow logically based on other information you are giving to my questions. To be blunt, it can't be working exactly as you describe. The code just does not work that way. Perhaps you are not describing things correctly when answering my specific questions.
I admitted that I have no experience with IDS/IPS. Do you have any sites that would be good for a beginner?
I stumbled upon another address that my research didn't find the first time. Added that ip and did a test and all works. Turned blocking mode back off.
Thank you for you help.