Suricata Pass List using Hostnames?


  • Banned

    On part of my network I use a Gateway group comprised of VPN clients (Private Internet Access) as the only gateways.

    Running suricata I've noticed that it eventually starts blocking the VPN client IP's (I think because it is pinging me on unused ports). So I'll end up with packet loss leading to offlining the gateway. Restarting the VPN's just shuts down the gateway again. If I clear Suricata's block list then all is well.

    I tried to create an alias of PIA's hostnames then use that alias as a passlist on suricata but I get an error:

    FQDN aliases are not supported in Suricata.
    

    Is there some way that I can whitelist hostnames on Suricata to avoid this?

    PIA Hostnames:

    us-california.privateinternetaccess.com
    us-east.privateinternetaccess.com
    us-midwest.privateinternetaccess.com
    us-chicago.privateinternetaccess.com
    us-texas.privateinternetaccess.com
    us-florida.privateinternetaccess.com
    us-seattle.privateinternetaccess.com
    us-west.privateinternetaccess.com
    us-siliconvalley.privateinternetaccess.com
    us-newyorkcity.privateinternetaccess.com
    uk-london.privateinternetaccess.com
    uk-southampton.privateinternetaccess.com
    ca-toronto.privateinternetaccess.com
    ca.privateinternetaccess.com
    aus.privateinternetaccess.com
    aus-melbourne.privateinternetaccess.com
    nz.privateinternetaccess.com
    nl.privateinternetaccess.com
    sweden.privateinternetaccess.com
    no.privateinternetaccess.com
    denmark.privateinternetaccess.com
    fi.privateinternetaccess.com
    swiss.privateinternetaccess.com
    france.privateinternetaccess.com
    germany.privateinternetaccess.com
    ireland.privateinternetaccess.com
    italy.privateinternetaccess.com
    ro.privateinternetaccess.com
    turkey.privateinternetaccess.com
    kr.privateinternetaccess.com
    hk.privateinternetaccess.com
    sg.privateinternetaccess.com
    japan.privateinternetaccess.com
    israel.privateinternetaccess.com
    mexico.privateinternetaccess.com
    brazil.privateinternetaccess.com
    in.privateinternetaccess.com
    


  • As far as I know it's not possible to use hostnames in the passlist.

    Depending on how often PIA changes IP addresses, you may be able to enumerate all IPs from all the FQDNs you posted and add those to the passlist. If they don't change often this could work long term, or at least improve things. PIA may even publish the IP ranges or CIDR's they use, which would make this easier.

    Another approach would be to determine what rule is causing the PIA IPs to get blocked and either disable it entirely or suppress it for these IPs (again, you would need to determine all of the IPs involved)

    Last, if they're truly getting blocked for pinging on unused ports, you could move Suricata from your WAN interface (where I'm assuming it would be running in that scenario) to the LAN, so then the pinging of unused ports would be blocked by the firewall and wouldn't be seen by Suricata.


  • Banned

    OK thank you, I figured that would be the answer.

    I ended up just disabling & modifying some rules so that it's no longer a problem.