Suricata & Citrix Workspace

ericnix

I finally got Suricata configured to monitor my open port going to my pfSense XG-1541 (which is behind my UDMP and serves only as an OpenVPN server). Unfortunately, the Suricata rules caused Citrix Workspace to not function. It blocked a lot of IP addresses that I think are either going to my health system server or to Epic.

Does anyone know which rules to disable to allow Citrix to run correctly?

Thanks!

bmeeks

Do you know how the Suricata package operates? Have you ever administered an IDS/IPS before? If not, why did you install it and turn on blocking mode right away?

You must learn how to analyze received alerts, determine if they are false positives or not, and then take appropriate actions.

Running an IDS/IPS is not like installing an anti-virus client. If I sound harsh, it's because just about every week a user pops up here on the forum having installed either Snort or Suricata without having a clue how to administer an IDS/IPS, then things are getting blocked and they post here asking what to do about it.

Here's what you do about it. Go to the INTERFACE SETTINGS tab for all interfaces where you have activated a Suricata instance and disable the blocking. There is checkbox for Block Offenders. Make sure it is NOT checked. Save the change. Go to the INTERFACES tab and restart Suricata on the interface using the icon. Next, go to the BLOCKS tab and press the Clear button to remove all existing Suricata blocks.

Now follow this advice I give all new IDS/IPS users:

1. Run with blocking disabled for several weeks in order to profile your network traffic and the alerts you receive.

2. Visit the ALERTS tab in Suricata at least daily and review the alerts shown. Analyze them and determine if any are false positives. Likely a bunch, if not all, will be false positives. For the false positives, decide if you want to disable that rule or suppress the alert (and resulting block). This will take Google research.

3. After at least a month of doing steps 1 & 2 above, you can then consider turning blocking back on.

ericnix

I've been running Snort for a while, but unfortunately I had it checking a mirrored port (LAN-to-WAN being mirrored). I just now started monitoring the eth port that connects to my LAN (since I don't use pfSense for WAN). I must admit that I hadn't run it in surveillance only mode when I switched to Suricata.

Previously, Citrix had not triggered any alerts with Snort. It triggered a ton yesterday with Citrix. All other functions of the OpenVPN have been working correctly. The only issue has been Citrix.

Unfortunately, Citrix seems to use multiple IP's (I can whitelist them all, but there are numerous).

bmeeks

You need to examine the alerting rules and compare the threat the rules supposedly detect to the traffic getting blocked. Determine if it represents a false postive. I'm betting it is a false positive.

For false postive triggering rules you must decide whether to suppress the alert for certain IP hosts, for all hosts, or if disabling the rule is the best course of action.

You will be better served by turning off blocking like I said and collect several weeks worth of normal traffic with just alerts getting triggered without blocking. Analyze the alerts and use that data to "tune" your rules. That's the proper way to administer an IDS/IPS. It is a complicated beast that takes almost daily care and feeding in a business or commercial network.

ericnix

I agree with your suggestion and already turned off blocking last night. I had false confidence based on using Snort which was also not the same setup (mirroring a WAN-to-LAN port instead of the network port connecting my pfSense to the network and allowing OpenVPN to operate).

I have several cameras at home that I thought I was doing a good thing by not allowing cloud access to the cameras. Instead, I turned off UPnP and set up a VPN to access the cameras. Probably more secure than accessing cameras directly, but I wanted to further tighten security. Using the VPN to also access my NAS and printers a big plus.

ericnix

@bmeeks Thanks for all your help with Suricata. I've noticed that my UDMP's network scanner triggers a lot of alerts shortly after midnight. I don't want to supress the alerts, but would like to block them by IP (10.0.1.1 is my router's address). I have the pass list checked to ignore gateway devices, which my router is listed as in pfSense.

Any suggestions on how to get these alerts to go away? Basically they're port scans.

bmeeks

@ericnix said in Suricata & Citrix Workspace:

@bmeeks Thanks for all your help with Suricata. I've noticed that my UDMP's network scanner triggers a lot of alerts shortly after midnight. I don't want to supress the alerts, but would like to block them by IP (10.0.1.1 is my router's address). I have the pass list checked to ignore gateway devices, which my router is listed as in pfSense.

Any suggestions on how to get these alerts to go away? Basically they're port scans.

No, if they trigger the rule they will continue to trigger rule. You can suppress alerts by source or destination IP if that helps. So if the port scan is triggered by a particular device in your network doing something legit, you can suppress the alert for that particular IP. Hover over the icons on the ALERTS tab and little tooltips will pop up showing you what each icon does. Under the SRC and DST columns there are icons for suppressing that alert (identified by the GID:SID combo) when the Source (SRC) or Destination (DST) IP address matches. So assuming your scanner machine has the IP 10.0.1.5, suppressing by Source IP would put a line in the Suppression List that basically says "when the source IP is 10.0.1.5, then don't fire this rule". Snort had the same feature if you used it. If not, consult the official Snort documentation and search for "rule thresholding". That is the official name for the suppression action.