4. Suricata Pass List using Hostnames?

Suricata Pass List using Hostnames?

  • P
    Banned

    On part of my network I use a Gateway group comprised of VPN clients (Private Internet Access) as the only gateways.

    Running suricata I've noticed that it eventually starts blocking the VPN client IP's (I think because it is pinging me on unused ports). So I'll end up with packet loss leading to offlining the gateway. Restarting the VPN's just shuts down the gateway again. If I clear Suricata's block list then all is well.

    I tried to create an alias of PIA's hostnames then use that alias as a passlist on suricata but I get an error:

    FQDN aliases are not supported in Suricata.

    Is there some way that I can whitelist hostnames on Suricata to avoid this?

    PIA Hostnames:

    us-california.privateinternetaccess.com
us-east.privateinternetaccess.com
us-midwest.privateinternetaccess.com
us-chicago.privateinternetaccess.com
us-texas.privateinternetaccess.com
us-florida.privateinternetaccess.com
us-seattle.privateinternetaccess.com
us-west.privateinternetaccess.com
us-siliconvalley.privateinternetaccess.com
us-newyorkcity.privateinternetaccess.com
uk-london.privateinternetaccess.com
uk-southampton.privateinternetaccess.com
ca-toronto.privateinternetaccess.com
ca.privateinternetaccess.com
aus.privateinternetaccess.com
aus-melbourne.privateinternetaccess.com
nz.privateinternetaccess.com
nl.privateinternetaccess.com
sweden.privateinternetaccess.com
no.privateinternetaccess.com
denmark.privateinternetaccess.com
fi.privateinternetaccess.com
swiss.privateinternetaccess.com
france.privateinternetaccess.com
germany.privateinternetaccess.com
ireland.privateinternetaccess.com
italy.privateinternetaccess.com
ro.privateinternetaccess.com
turkey.privateinternetaccess.com
kr.privateinternetaccess.com
hk.privateinternetaccess.com
sg.privateinternetaccess.com
japan.privateinternetaccess.com
israel.privateinternetaccess.com
mexico.privateinternetaccess.com
brazil.privateinternetaccess.com
in.privateinternetaccess.com
    0
  • J

    As far as I know it's not possible to use hostnames in the passlist.

    Depending on how often PIA changes IP addresses, you may be able to enumerate all IPs from all the FQDNs you posted and add those to the passlist. If they don't change often this could work long term, or at least improve things. PIA may even publish the IP ranges or CIDR's they use, which would make this easier.

    Another approach would be to determine what rule is causing the PIA IPs to get blocked and either disable it entirely or suppress it for these IPs (again, you would need to determine all of the IPs involved)

    Last, if they're truly getting blocked for pinging on unused ports, you could move Suricata from your WAN interface (where I'm assuming it would be running in that scenario) to the LAN, so then the pinging of unused ports would be blocked by the firewall and wouldn't be seen by Suricata.

    0
  • P
    Banned

    OK thank you, I figured that would be the answer.

    I ended up just disabling & modifying some rules so that it's no longer a problem.

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy