Suricata pass list ignored
-
The Pass List is entirely part of the custom code. Suricata itself has no concept of, nor use for, the Pass List functionality. Neither does Snort, by the way.
The reason a Pass List even exists is because of the "big hammer" approach used for blocking. This all goes back to the Snort package, so a little history to help you better understand.
Snort many many moons ago had an added plugin feature called
snortsam
. It was a FreeBSD thing and not related to pfSense directly. It also worked with a number of firewall engines from several operating systems. Details can be found here: http://www.snortsam.net/. That feature on FreeBSD relied on the use of theipfw
firewall engine. And it worked by extracting the IP addresses from Snort alerts and then making system calls to insert those addresses into a firewall rule that would then block subsequent traffic from that host. Key here is the word "subsequent", because this all works by using libpcap to send copies of packets to Snort for analysis. Snort then may generate an alert on the copied packet (or packets in the event a larger stream of data). So that first packet (or packets) made it all the way through the firewall. However, subsequent packets in that stream could be blocked by the new firewall rule (provided the user configured the option to clear states for that IP session when an "alert" was detected and the offending IP was handed off to the firewall to be put in the blocking rule).pfSense uses
pf
instead ofipfw
for the firewall engine.ipfw
is used within the Captive Portal code. So someone in the very distant past created a plugin for Snort called "spoink" that worked similar to thesnortsam
plugin, but this new one worked withpf
instead ofipfw
. It accomplished the same thing, but just used thepf
firewall engine.So what does a Pass List have to do with this? Because the "blocking" worked by actually putting a host's IP address in a firewall rule, ALL subsequent traffic to or from that host would be blocked so long as the IP existed in the firewall rule. There was no granularity to the blocking. You could not block just the "bad traffic" but let the other packets through. It was an all or nothing proposition. This could potentially be a bad thing if Snort, for example, put your web server's IP in the blocking firewall rule. So was born the idea of a list of hosts that the blocking module would never block -- the Pass List.
So when the Suricata package came along, I put the same functionality into it (the Pass List) for the same reason. Now when using Inline IPS Mode where individual packets are literally dropped by the kernel
netmap
device and the firewall is not involved in any manner, there is no need for a Pass List as nobody's IP address ever gets put anywhere. Individual packets are either passed or dropped by thenetmap
device as it routes them from the NIC driver to the kernel depending on instructions from Suricata. And by the way, that same technology is now available in Snort.Finally, let's loop around to how the Pass List works. To keep from reinventing the wheel, I simply used the existing functions with the Snort and Suricata binaries for storing IP addresses or subnets in a memory table and then later testing whether a given IP address matches a previously stored address or is contained within a previously stored subnet. This functionality exists within Suricata and Snort because the rules evaluation engine needs it (the ability to match addresses to either discrete values or determine if an address resides within a stored subnet).
The code for matching IP addresses against a Pass List can get a little tricky when you start needing to figure out whether an IP is within a subnet. So long as we are talking a small number of subnets, it's not too bad. But some users have gone crazy with adding stuff to Pass Lists and have hundreds and hundreds of IP subnets, many of which overlap each other. So rather than trying to write my own code to handle all of that, I used existing code that was already right there. And with all my testing (and my subsequent testing), it has always worked for me. I've never had an issue with it in either Snort nor Suricata.
If you want to examine the code, or compile your own version for debugging, here is the link on Github: https://github.com/pfsense/FreeBSD-ports/tree/devel/security/suricata. The custom plugin patch is in the
files
sub-folder. It's called patch-alert-pf.diff. Apply that patch to an extracted stock source code directory from Suricata-5.0.4 and that's all you need. I would be happy for another set of eyes to go over that code. Maybe they will see something I have missed. -
@bmeeks I guess I am just "oversimplifying" the task to match an IP address to a white list. It was my expectation that most likely a dozen of libraries exist that should be able to do this. I agree that once a crazy amount of pass-list entries come into play, this will make a difference.
I doubt that my set of eyes will make a big difference in analyzing the code esp. if it depends on a complex not well documented library. I fully trust that you are a million times better at this than I. :-)
My suggestion was: If you build a debug version with the output you need and you are able to replicate the issue --> super. If you have a debug version but cannot replicate the issue I come into play.
FreeBSD pfSense.koopmann.local 11.3-STABLE FreeBSD 11.3-STABLE #243 abf8cba50ce(RELENG_2_4_5): Tue Jun 2 17:53:37 EDT 2020 root@buildbot1-nyi.netgate.com:/build/ce-crossbuild-245/obj/amd64/YNx4Qq3j/build/ce-crossbuild-245/sources/FreeBSD-src/sys/pfSense amd64
as long as the executable runs on this platform and you drop me a link to the binary (or I provide an upload space) I can exchange the executable, reproduce things and send all debug output to you. Or you can take a look via TeamViewer etc.
Regards
JP -
@j-koopmann said in Suricata pass list ignored:
@bmeeks I guess I am just "oversimplifying" the task to match an IP address to a white list. It was my expectation that most likely a dozen of libraries exist that should be able to do this. I agree that once a crazy amount of pass-list entries come into play, this will make a difference.
Well, you could say I did use a ready-made library to do this. I am using the code already existing in the Suricata binary. I saw no need to bulk up my plugin module by either creating the Pass List logic from scratch, or importing yet another third-party library into the mix. And like I said, this code has worked. And every time I have tested it, it continues to work. For that other user I mentioned (which was early last year, if I am recalling correctly), I was never able to reproduce his issue either. I did try some things differently in examining the returned value from the built-in function call, but since I could not reproduce his issue I really couldn't test my theory. I built the altered code anyway and he tested; and if I recall, it sometimes worked for him and other times did not. English was not his primary language so there was some difficulty in communicating with each other through the translations. But it worked everytime for me. He was a user with a ton of network subnets defined on his Pass List (like maybe a hundred as I recall). He sent me his exact Pass List, and I pasted it into a list in a virtual machine, and then configured Kali Linux to spoof IP addresses on his pass list while scanning the WAN interface of my Kali machine. I would get alerts and no blocks (as desired when the IPs were on the Pass List). Removing the networks from the Pass List resulted in blocks in the virtual machine.
If the Pass List code was fundamentally flawed, I would expect to see dozens and dozens of posts here about it. After all, there are over 24,000 installations of the Snort and Suricata packages around the world. This is how many unique hits the Snort folks told me they see daily on the rules update servers where the
curl
user agent identifies the client as pfSense.I am quite busy at the moment on another totally unrelated project, so it will be a while before I can look into this. But I will. In the meantime, you are welcome to dive in using the code link I provided. You should be able, if you have a FreeBSD-11.3/STABLE machine with the standard build packages in place, to create a
pkg
*.tgz file and then copy it over to pfSense and install it for testing. The key is having the matching version of the pfSense underlying OS. In this case that is FreeBSD-11.3/STABLE. -
I encountered the same and just rebooted the box. Problem solved.
-
@cool_corona said in Suricata pass list ignored:
I encountered the same and just rebooted the box. Problem solved.
If a reboot solved the problem, that would point to you having a duplicate process on an interface. In that instance, the duplicate process will not see nor respond to any Pass List changes. That was a common problem in the past, but more rare now. However, if anyone uses Service Watchdog with the IDS/IPS packages, getting duplicate processes can happen. So can frequent up/down cycles of an interface (especially the WAN) which cause the pfSense subsystem to issue a series of "restart all packages" commands in quick succession.
-
@bmeeks after not running into this for months it sort of slipped my mind. Now my VPN Client connection was dropped several times and during debugging I found out I was hit once more by this. The /24 of the client network is in the PASS_LIST but was ignored.
I updated to pfsense 2.5.2 and Suricata 6.0.0_10. Have you had any chance whatsoever to look into this. Reboot does NOT solve this problem.And I just rechecked: Only one process. The entry in the pass list is there for months and several reboots had been performed.
-
@j-koopmann said in Suricata pass list ignored:
@bmeeks after not running into this for months it sort of slipped my mind. Now my VPN Client connection was dropped several times and during debugging I found out I was hit once more by this. The /24 of the client network is in the PASS_LIST but was ignored.
I updated to pfsense 2.5.2 and Suricata 6.0.0_10. Have you had any chance whatsoever to look into this. Reboot does NOT solve this problem.And I just rechecked: Only one process. The entry in the pass list is there for months and several reboots had been performed.
I have tried and tried to reproduce this issue in my test virtual machines for Suricata over the years. I have NEVER had a pass list entry not work properly in all of my testing.
Not saying you aren't seeing the problem, but if I can't reproduce it, I can't troubleshoot or fix it. I have even had other users send me their exact pass lists, which I pasted into my test VMs, and still was unable to reproduce the issue.
-
@bmeeks i appreciate this.
How can I help? I should be able to reproduce this somehow but how would that help you?
-
@j-koopmann said in Suricata pass list ignored:
@bmeeks i appreciate this.
How can I help? I should be able to reproduce this somehow but how would that help you?
Unfortunately it likely can't, because what would be needed is a full debug build of the Suricata package, a copy of the binary source code, and then loading it all up into the
gdb
debugger and stepping through the code to see where the problem is happening.You would not want all the
gdb
debugging stuff and associated libraries installed on a production firewall (or I would not want that).The Pass List feature borrows functionality from an existing shared resource in the Suricata binary -- a Radix tree. That tree is used to store, and later search for, the IP networks and/or individual host IPs pulled from the Pass List text file.
When an alert is logged, the custom blocking plugin pulls out the IP addresses and then compares them to the Pass List. It does that by searching the Radix tree to see if the IP from the alert is "covered" by an existing Radix tree entry. If not, the IP is added to the blocked table. If the Radix tree search indicates the IP is "covered" by an existing entry, the IP is not added to the blocked table. If the Radix tree code was faulty, it would be most logical for it to fail for every lookup -- not just one randomly. The only other possibility I can imagine is perhaps it is a threading problem that crops up randomly due to Suricata's multithreaded nature. That might be why I have never been able to duplicate the issue. My test VM traffic load and number of threads may not match yours.
-
@bmeeks What about putting some debug outputs around this in one of the future versions? We could then see if the radix tree match is unsuccessful or if it is working and it is a threading problem.
-
@j-koopmann said in Suricata pass list ignored:
@bmeeks What about putting some debug outputs around this in one of the future versions? We could then see if the radix tree match is unsuccessful or if it is working and it is a threading problem.
That is an idea for the future. I am hopeful the move to
iflib
in FreeBSD 12, and some coming improvements to netmap support in Suricata, will lead to the custom Legacy Blocking Mode module used on pfSense being abandoned. It is not an ideal solution. It's too big of a hammer to block all traffic from a host because of a single alert. Better to use the Inline IPS Mode and just selectively drop bad packets instead of completely blocking the host IP.Before the move to the
iflib
wrapper for NIC drivers in FreeBSD 12, your particular NIC hardware driver had to be patched to support netmap operation (and thus support inline IPS mode in Suricata). That limited the configurations where you could use netmap. Now,iflib
wraps the netmap support up natively in FreeBSD and relieves the NIC driver from having to worry about it. There are perhaps still a few rough patches withiflib
and netmap, but those should get smoothed out in future FreeBSD updates. But over time I'm hopeful that netmap and Inline IPS Mode will become how you "block" in Suricata. And the Legacy Blocking Mode and its custom module will disappear. -
Here is the Redmine link:
https://redmine.pfsense.org/issues/12899 -
This post is deleted! -
@wexi Not sure it is the same problem. The pass list IS being obeyed. It is just that it seems to only handle IP addresses and not ranges (or at least in some circumstances). I fail to see how your post is related.
Are you having the range problem as well?