Having problems lately with suricata.
-
@bmeeks Hi. Like the title says, I had some bad experience lately.
Some weeks ago I had some very bad connection problems with my main machine. I thought that somehow my asus router in AP-mode doing vlans would be the reason.
After a reboot of pfSense everything was fine at first but later I got blocked again.After some days I found out, that suricta totally blocked my machine, probably because of a et-rule to block home phoning of Windows. But it should never ever block my machine right?
I couldn't even connect to pfSense anymore. Like I said after some days of problems, I removed Suricta and the problem was gone.
Lately I tried it again, this time running Suricata in inline-IPS-mode and only on LAN, which is an intel NIC, but also a parent interface of vlans. I only had activated the alert-mode, wasn't even blocking anything.
But my phone, which is connected to a vlan on the asus-router, instantly hadn't had any internet anymore. So I ditched Suricata again.Is this expected behavior or is my pfSense install somehow flawed? I did uninstall Suricata and with that deleted its settings every time.
-
Unless you modify it, there is an automatic "default" Pass List created by Suricata for each interface. That Pass List contains the WAN public IP, the interface IP address subnet of every local interface on the firewall, your configured DNS servers, the loopback addresses (IPv4 and IPv6) and the default gateway. No IP addresses in that list will get blocked.
Now, if you have something downstream (that Asus wireless router) that is potentially NATing for your, that would be a problem as those NAT IP addresses would not be in a pass list. That's what I bet is happening.
You need to look at the actual IP address of the device being blocked (look it up on the device itself), then go into the ALERTS tab with Suricata running and see if that IP is in an alert. If so, then go to the INTERFACE SETTINGS tab for the interface that blocked and open up and view the contents of the default Pass List. I'm betting that the IP you see blocked (your device) is not within the subnets listed in the default Pass List.
-
@bmeeks The first time it was my main machine which has an IP-address of my LAN-network.
The second time, like I said, there was no blocking active at all...I wonder, if my asus router doing the vlans is the problem and suricata doesn't like it at all.
-
@bob-dig
Not being there to see your actual configuration, my bet is your Asus router is still in "router" mode and is doing NAT. You haven't shown me the actual IP addresses in use. If they are in RFC1918 space, there is no privacy issue at all with sharing them here.Show me the IP subnet of your LAN, the actual IP addresses your phone and PC are using, and a screenshot of the BLOCKS tab of Suricata when one of your devices is not working.
One other point, Suricata and Snort "block" by sending the offender's IP address to the firewall where it is added to a table. Stopping Suricata or Snort on the interface, or even disabling blocking on the interface will NOT remove the IP from the firewall's table. It will still be blocked. You must manually clear any blocks!
-
@bmeeks I have uninstalled Suricata so I can't show you everything right now. The router is in AP-mode but the vlan functionality is not something it would normally do, it is only possible by running some scripts on it. Snort2c is empty right now.
I will come back to you, next time I try suricata. Thank you. -
@bmeeks I had this happening on 2.4.5.p1 and now with 2.5 it has happened again: a local machine got blocked. This time it wasn't my main machine so I didn't fall in panic mode. But still, it is very annoying. Maybe you have an idea. I installed suricata some days ago.
Looking at suricata, 192.168.1.0/24 is in the default home net and default pass list.
Edit one day later: Today the same machine got blocked again.
-
@bob-dig Try to change the BLOCK from BOTH to DEST and see if that changes anything.
I see the same behaviour in Suricata in the datacenters.
-
@bmeeks Any thoughts or ideas, how this could happened? Did I forget something you had asked for?
-
@bob-dig said in Having problems lately with suricata.:
@bmeeks Any thoughts or ideas, how this could happened? Did I forget something you had asked for?
I have never, since I created the Suricata package, been able to reproduce the issue of an IP getting blocked that is on a Pass List. And believe me I have tried and tried in my virtual machine test environment to duplicate this. Therefore I have no idea what could be wrong in your system.
If it is service impacting to you, then you have three options: (1) disable blocking; (2) disable the rule category that is generating the blocks; or (3) uninstall the Suricata package entirely.
-
@bmeeks The last time there was only a small dlink green switch in between if I remember correctly. So nothing special and I think nothing wrong either.