Suricata configration help


  • Greetings everyone
    My end goal here is to setup Suricata to block P2P traffic for my small office and whitelist few IPs for example general manager and IT.
    I have setup a test lab on hyper-V with 2 windows VM connected to pfsense VM via virtual switch.
    I have achieved blocking P2P and very effectively  ;D . (I can only do it in Legacy mode btw inline will lock me out of the GUI everytime I try it, and i made sure Hardware Checksum Offloading,Hardware TCP Segmentation Offloading and Hardware Large Receive Offloading disabled, still legacy is working fine so I'm not complaining  :) )

    Now I'm trying to add an IP into some kind of whitelist. for some reason Pass Lists won't do anything (I have setup an alias, created a pass list and finally chose it inside the interface) nothing the IP is still blocked from P2P. and for IP Reputation, I don't think I'm setting it right because everything I tried has failed so far.
    So Can someone help?

    the environment is running squid3,squidguard,Openvpn because that's what I have on live now and I can't change it.

    P.S: great work on the distor guys, and I'm a gold member and will always be and support you with whatever i can  ;)


  • Suricata's inline IPS mode uses a relatively new technology called netmap.  Netmap is a feature that can be compiled into FreeBSD and other similar kernels like Linux.  Netmap provides a super high speed interface allowing applications to get and process network traffic at near line speed (much faster than older technologies such as ipfw in FreeBSD).  Unfortunately netmap is something each specific network card driver must support.  There are still a great many network card drivers that either outright do not support netmap and thus the interface dies or freezes, or only partially support it and thus are flakey in operation.  If you use VMware virtual networking, then you want to use the e1000 NIC drivers so your interfaces in a virtual machine show up as "em0, em1, etc." interfaces.  I am not very familiar with Hyper-V as I am a VMware person, but I don't believe the Hyper-V virtual NICs support netmap.

    When you create a Pass List and then assign it to the Suricata interface, you must then restart Suricata on that interface in order for it to pick up the new Pass List.  Did you restart after assigning the Pass List?

    Bill


  • Thanks for the info bill. in my live setup all my nics are intel and they show up as em0,em1 etc.
    although I still can't figure out pass list I noticed when a created a pass list with only an alias on it let's say is Win7-VM2 (ip 192.168.1.2), rebooted pfsense VM (only way I can see change restarting service don't do anything for me) then Win7-VM2 is connected P2P is still blocked… the strange thing is Win7-VM1 (ip 192.168.1.3) no longer connected to anything can't even ping my pfsense rebooted created a 2nd LAN (ip 192.168.1.4) nothing its looks like no one has access to anything in the network except the IP I added to pass list, but that's not how it should work right?? :o...
    Did another test with pass list for all local IPs and alias back to square 1 where P2P blocked for everyone :'(

    How can I exclude some IPs or aliases from getting blocked?


  • @Gig11gs:

    Thanks for the info bill. in my live setup all my nics are intel and they show up as em0,em1 etc.
    although I still can't figure out pass list I noticed when a created a pass list with only an alias on it let's say is Win7-VM2 (ip 192.168.1.2), rebooted pfsense VM (only way I can see change restarting service don't do anything for me) then Win7-VM2 is connected P2P is still blocked… the strange thing is Win7-VM1 (ip 192.168.1.3) no longer connected to anything can't even ping my pfsense rebooted created a 2nd LAN (ip 192.168.1.4) nothing its looks like no one has access to anything in the network except the IP I added to pass list, but that's not how it should work right?? :o...
    Did another test with pass list for all local IPs and alias back to square 1 where P2P blocked for everyone :'(

    How can I exclude some IPs or aliases from getting blocked?

    To be honest, your questions are a bit hard to follow due to the punctuation and maybe some missing words or typos …  nonetheless, let me see if I can offer some suggestions.

    1.  Try a plain Suricata setup without blocking enabled.  Make sure everything works in terms of connectivity.  Pay attention to the ALERTS tab and see what alerts are being thrown.

    2.  Turn on blocking but only in Legacy Mode.  Create any custom pass list you might need.  Remember when you create a Pass List on the PASS LIST tab you must next go to the INTERFACE SETTINGS tab, assign the Pass List you created to the interface and then restart Suricata on that interface to pick up the change.  Again verify connectivity is as expected after enabling Legacy Mode blocking.  If you have problems, then go to the BLOCKS and ALERTS tabs to see what clues you find there.

    3.  Only after the first two steps above have been completed and you are satisified with the results and understand any alerts or blocks, go back and enable Inline IPS mode for the blocking.  If you now suddenly have problems with connectivity, then the issue is most likely going to be problems with netmap and the virtual NIC in Hyper-V.  Nothing you can do about that unless you want to rewrite the Hyper-V driver ...  ;).  Inline IPS mode is just not going to work on every single device unlike Legacy Mode which is more or less network card and driver agnostic.

    Bill


  • @bmeeks:

    To be honest, your questions are a bit hard to follow due to the punctuation and maybe some missing words or typos …  nonetheless, let me see if I can offer some suggestions.

    1.  Try a plain Suricata setup without blocking enabled.  Make sure everything works in terms of connectivity.  Pay attention to the ALERTS tab and see what alerts are being thrown.

    2.  Turn on blocking but only in Legacy Mode.  Create any custom pass list you might need.  Remember when you create a Pass List on the PASS LIST tab you must next go to the INTERFACE SETTINGS tab, assign the Pass List you created to the interface and then restart Suricata on that interface to pick up the change.  Again verify connectivity is as expected after enabling Legacy Mode blocking.  If you have problems, then go to the BLOCKS and ALERTS tabs to see what clues you find there.

    3.  Only after the first two steps above have been completed and you are satisified with the results and understand any alerts or blocks, go back and enable Inline IPS mode for the blocking.  If you now suddenly have problems with connectivity, then the issue is most likely going to be problems with netmap and the virtual NIC in Hyper-V.  Nothing you can do about that unless you want to rewrite the Hyper-V driver ...  ;).  Inline IPS mode is just not going to work on every single device unlike Legacy Mode which is more or less network card and driver agnostic.

    Bill

    I'm not even trying Inline IPS mode now, I'm fine with Legacy, I'm just trying to exclude some hosts or IP's from being monitored with Suricata.
    I'm very sorry for my English, I wish I could speak to you, because my speech is way better than my writing :P.


  • @Gig11gs:

    @bmeeks:

    To be honest, your questions are a bit hard to follow due to the punctuation and maybe some missing words or typos …  nonetheless, let me see if I can offer some suggestions.

    1.  Try a plain Suricata setup without blocking enabled.  Make sure everything works in terms of connectivity.  Pay attention to the ALERTS tab and see what alerts are being thrown.

    2.  Turn on blocking but only in Legacy Mode.  Create any custom pass list you might need.  Remember when you create a Pass List on the PASS LIST tab you must next go to the INTERFACE SETTINGS tab, assign the Pass List you created to the interface and then restart Suricata on that interface to pick up the change.  Again verify connectivity is as expected after enabling Legacy Mode blocking.  If you have problems, then go to the BLOCKS and ALERTS tabs to see what clues you find there.

    3.  Only after the first two steps above have been completed and you are satisified with the results and understand any alerts or blocks, go back and enable Inline IPS mode for the blocking.  If you now suddenly have problems with connectivity, then the issue is most likely going to be problems with netmap and the virtual NIC in Hyper-V.  Nothing you can do about that unless you want to rewrite the Hyper-V driver ...  ;).  Inline IPS mode is just not going to work on every single device unlike Legacy Mode which is more or less network card and driver agnostic.

    Bill

    I'm not even trying Inline IPS mode now, I'm fine with Legacy, I'm just trying to exclude some hosts or IP's from being monitored with Suricata.
    I'm very sorry for my English, I wish I could speak to you, because my speech is way better than my writing :P.

    Oh…OK.  I understand now.  No need to apologize for your English.  I only speak and write in a single language, so I am the one with the limitations ...  :).

    There are two ways to protect IP addresses from being blocked with the package.  The same technique will work with Snort as well since they share the same core code.  "Suppress List" is really a Snort term.  Suricata calls it "Threshold", but the concept is the same and since the GUI tab is SUPPRESS I will use that term in the discussion below.

    1.  Use a Suppress List entry with the "track by source" or "track by destination" option
    2.  Use a custom Pass List

    Let me describe the difference between these two.

    When you use a Suppress List you are selectively bypassing a single rule with each line in the Suppress List file.  For a given rule in the file, you can also specify that the rule is bypassed only when triggered by a specific IP address.  The drawback of a Suppress List is that you need to create an entry for every rule you want bypassed for every host.  When a rule is "bypassed" by a Suppress List entry, it does not generate an alert.  When there is no alert generated in Legacy Mode, there is no block.  Thus Suppress Lists are one way of preventing a host from being blocked.  You just must enable this on a rule-by-rule basis.  The GUI makes this a little easier by offering icons on the ALERTS tab for each displayed alert entry.  In the columns for SRC IP, DST IP and GID:SID you will see a plus icon "+" in a little rectangle.  Clicking that will add the rule signature ID (the GID and SID) to a suppress list entry.  If you click the icon in the SRC IP column, then the entry will be added with the suppression option of "track by source".  If you click the icon in the DST IP column it will use the option of "track by destination".  Clicking the icon in the GID:SID column will bypass that rule for all IP addresses.

    A Pass List (only when using Legacy Mode) operates differently but achieves the same result – protecting specified IP addresses from ever being blocked.  The difference with the Pass List is that alerts still happen, but the blocks don't.  If the IP address in the alert matches an IP address in the Passs List, then the IP is not blocked.  The big distinction between a Pass List and Suppress List is that the Pass List will prevent the IP addresses in the list from being blocked by any rule.  Remember a Suppress List works only on specific rule signature IDs.

    If you want to use a Pass List:

    1.  First go to the Firewall > Aliases menu in pfSense and create an Alias to hold the IP addresses of all host you want to protect from blocking.  You can only use fixed IP addresses!  The Pass List does not work for FQDN aliases.  Remember that you can also include other aliases within an alias (nesting them, in effect).  This can let you get quite creative with aliases.

    2.  Now go to the PASS LIST tab in Suricata and create a new Pass List.

    3.  For Legacy Mode operation, you can generally leave the default checked values in the Auto-Generated IP Addresses section.  Down at the bottom of the page type in the name of the Alias you created in step #1.  Save the new Pass List.

    4.  This is the important part!!!  Go edit the INTERFACE SETTINGS for the Suricata interface.  Scroll down on that page until you find the drop-down selection fields for the Pass List.  Select the Pass List you created in step #1 above and save the change.  Now go restart Suricata on that interface.  The Pass List will not be used until Suricata is restarted.

    Bill


  • @bmeeks:

    If you want to use a Pass List:

    1.  First go to the Firewall > Aliases menu in pfSense and create an Alias to hold the IP addresses of all host you want to protect from blocking.  You can only use fixed IP addresses!  The Pass List does not work for FQDN aliases.  Remember that you can also include other aliases within an alias (nesting them, in effect).  This can let you get quite creative with aliases.

    2.  Now go to the PASS LIST tab in Suricata and create a new Pass List.

    3.  For Legacy Mode operation, you can generally leave the default checked values in the Auto-Generated IP Addresses section.  Down at the bottom of the page type in the name of the Alias you created in step #1.  Save the new Pass List.

    4.  This is the important part!!!  Go edit the INTERFACE SETTINGS for the Suricata interface.  Scroll down on that page until you find the drop-down selection fields for the Pass List.  Select the Pass List you created in step #1 above and save the change.  Now go restart Suricata on that interface.  The Pass List will not be used until Suricata is restarted.

    Bill

    I followed those instructions (although that's exactly what I did before) but it gives me confusing results.

    For example the VM I want exclude from filtering is under IP 192.168.10.235 static IP. and the other one is on DHCP (192.168.10.127 now).

    I added an alias for 192.168.10.235 and called it lab.
    Created a pass list (all Auto boxes checked) with that alias.
    added it to LAN interface in Suricata and restart.

    now the behavior I have is 192.168.10.235 is being blocked, 192.168.10.127 is not (its downloading p2p traffic at full speed)… :o

    So I thought, maybe its in the pass list, the auto generation box does have Local Networks option on it and that might make my full subnet in the pass list and thus unblock all of the IPs. that's why 192.168.10.127 was downloading torrents with full speed.

    So I unchecked that boxed... restarted now something very strange happened 192.168.10.127 can no longer access the network, it can't even ping my pfsense 192.168.10.1 or anything else for that matter. so I rechecked the Local network box and restarted, now its connected back.

    So I thought maybe because I'm filtering on LAN, disabled that and started filtering on WAN.
    But same exact behavior...

    So I still didn't achieve my goal of unblocking or un-monitoring 192.168.10.235 while every other IP is blocked and monitored.

    I have to know how to do this, because I know very well that when I implement this in the office I will get requests from upper management to exclude some high ranked people and I will have to comply.


  • @Gig11gs:

    I followed those instructions (although that's exactly what I did before) but it gives me confusing results.

    For example the VM I want exclude from filtering is under IP 192.168.10.235 static IP. and the other one is on DHCP (192.168.10.127 now).

    I added an alias for 192.168.10.235 and called it lab.
    Created a pass list (all Auto boxes checked) with that alias.
    added it to LAN interface in Suricata and restart.

    now the behavior I have is 192.168.10.235 is being blocked, 192.168.10.127 is not (its downloading p2p traffic at full speed)… :o

    So I thought, maybe its in the pass list, the auto generation box does have Local Networks option on it and that might make my full subnet in the pass list and thus unblock all of the IPs. that's why 192.168.10.127 was downloading torrents with full speed.

    So I unchecked that boxed... restarted now something very strange happened 192.168.10.127 can no longer access the network, it can't even ping my pfsense 192.168.10.1 or anything else for that matter. so I rechecked the Local network box and restarted, now its connected back.

    So I thought maybe because I'm filtering on LAN, disabled that and started filtering on WAN.
    But same exact behavior...

    So I still didn't achieve my goal of unblocking or un-monitoring 192.168.10.235 while every other IP is blocked and monitored.

    I have to know how to do this, because I know very well that when I implement this in the office I will get requests from upper management to exclude some high ranked people and I will have to comply.

    Do you know that once an IP is blocked, unless you restart the entire firewall, you have to remove the IP from the blocked list?  There are multiple ways to do that.  You can click the icons on the ALERTS or BLOCKS tab beside the IP you want to unblock.  If you have the option to automatically clear blocked hosts enabled (on the GLOBAL SETTINGS tab), then at the set interval all blocked hosts will be removed.  Simply restarting Suricata won't clear blocks.  This might be why your 192.168.10.235 IP continued to be blocked if you did not specifically unblock it.

    I have no explanation for the other strange problem with the 192.168.10.127 address.  Checking or unchecking the "Local Networks" checkbox on the PASS LIST tab when editing a Pass List really can't cause the effect you described.  There is no way it can cause a total loss of connectivity.  Something else must have caused that.

    I have not tried pfSense within Hyper-V, and therefore have not tried the Snort or Suricata packages on Hyper-V either.  I believe some others foks have, though.  I use VMware and everything works just fine.  I have several Suricata and Snort virtual machines I test with, and Pass Lists and Suppress Lists work fine for me.  They also work for others here on the Forum, so I know the code is not fatally flawed.

    Bill


  • @bmeeks:

    Hey
    Sorry for the late reply.
    I have rebuilt my VM lab on Vbox and tested on it, very good success with Suppression list but still can't figure out pass list.
    But for now that will do nicely, Thank you very much for your help Bill.