Suricata Package Updated to 3.1.2_1 – Release Notes
bmeeks last edited by
The Suricata package has been updated to v3.1.2_1 to fix issues with Pass List implementation when using inline IPS Mode.
Remove automatic inclusion of all locally-attached networks in the default Pass List when using IPS mode. This had the unintended side-effect of essentially whitelisting all traffic to and from local hosts.
Add the capability to completely disable use of the default Pass List when running with inline IPS Mode. Formerly, the default Pass List would be used when no custom list was specified.
Remove automatic inclusion of the WAN interface IP address in the default Pass List when using IPS mode. This had the unintended side-effect of essentially whitelisting all inbound NAT traffic because the destination IP would be the WAN IP.
Increase default value of Host Memcap on IP REPUTATION tab to 32 MB as most IP lists today are quite large. This is effective only for newly created interfaces.
The checkbox for including/excluding the WAN IP from a custom Pass List was inadvertently removed during the Bootstrap conversion of the GUI code. This checkbox is now restored.
Implications of Using a Pass List with Inline IPS Mode
There is a new choice in the Pass List drop-down selector on the INTERFACE SETTINGS tab. That new choice is "none", and when that option is selected no Pass List of any type will be used on the Suricata interface. This is the recommended setting for those of you using Inline IPS Mode. To understand why that is the recommended choice, read on below.
When you use a Pass List with Inline IPS Mode, you need to be aware of some potential pitfalls. The most significant pitfall is that a host IP in a Pass List is totally unprotected by Suricata. No rule but the auto-generated PASS rule will ever match, and thus the host is open to attack and with no logging of the attack. Read that previous sentence one more time and let it sink in! It is the number one reason why you generally don't want to use a Pass List with Inline IPS Mode.
If you still have a need to use a Pass List, consider carefully which of the auto-generated IP addresses you allow in your custom list. In a NAT environment you would never want to include the WAN IP in the list. Doing so will exempt all inbound traffic from the WAN from inspection because Suricata sees the traffic before the inbound NAT has happened. Thus the inbound "destination IP address" will be the firewall's WAN IP. If that IP is in the Pass List, then the traffic is passed without further inspection! That's probably not what you want. So with inline IPS mode, you rarely want to include the WAN IP. Carefully consider also whether or not you choose to include the other defaults of locally-attached networks, the DNS servers specified for the firewall and the Virtual IPs and any VPNs. Consider the impact in the same terms as described for the WAN IP. You can easily exempt vast swaths of your network from even being scanned by Suricata. You should also generally uncheck the option to include "All Local Networks" when creating a custom Pass List. This option, when enabled, will include the entire subnet for each directly-attached local network (meaning all networks defined on all firewall interfaces with the exception of the WAN) in the Pass List. This would generally be a bad thing because, again, the auto-generated PASS rules would exempt all hosts on those subnets from being examined by Suricata.
The v3.1.2_1 version of the Suricata package does make some changes in the composition of the "default" Pass List. It no longer automatically includes the WAN IP nor Local Networks in the default list. It does include the single firewall interface IP of every interface on the firewall with the exception of the WAN, though. All of the old defaults discussed in this thread are usually OK for Legacy Mode. This is due to the way Legacy Mode implements blocking. It does not use PASS rules like IPS Mode does. The custom blocking plugin used in Legacy Mode can be more selective when blocking because it is able to block one of the IP addresses in a packet and not the other. For example, it might let the Pass List host IP go but yet still block the other end of the conversation. So if the SRC IP was in the Pass List but the DST IP was not, the SRC IP would not be blocked but the DST IP would. This would still protect the host from the bad guy. IPS Mode is different because the entire packet is simply dropped. You can't drop one IP in a conversation but not the other when using IPS Mode.
So what is the better way of protecting hosts from being blocked (or having their traffic dropped)? You might want to consider using the Suppress List feature to selectively bypass only the rules giving you trouble for specific hosts. You can use the icons on the ALERTS tab to accomplish this. Hover over the plus signs (+) in the alert rows to see a tooltip popup describing what clicking the icon does. A Suppress List entry bypasses a single rule GID:SID. It can be bypassed for all hosts, or only select hosts by either source IP or destination IP. A Pass List entry, on the other hand, will bypass all rules for the host IP addresses in the list.
Thank you for the in depth explanations and for the quick fixes.
Great job Bill, well explained. I absolutely agree with you that the best Passlist option is "none" for Inline mode.