Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    [SOLVED] Suricata not blocking

    IDS/IPS
    2
    5
    2331
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      Hugovsky last edited by

      I'm using suricata in legacy mode and I can't make it block. Alerting is working but it doesn't block.

      I'm using 2.4 latest snapshot with pfBlocker and freeradius. M/B supermicro A1SRi-2558 (c2558) with 16GB ram. I've tried uninstall and install suricata, reboot and everything I could remember.

      suricata log:

      26/4/2017 -- 22:00:46 - <notice>-- This is Suricata version 3.2.1 RELEASE
26/4/2017 -- 22:00:46 - <info>-- CPUs/cores online: 4
26/4/2017 -- 22:00:46 - <info>-- HTTP memcap: 67108864
26/4/2017 -- 22:00:46 - <notice>-- using flow hash instead of active packets
26/4/2017 -- 22:01:00 - <info>-- 3 rule files processed. 13392 rules successfully loaded, 0 rules failed
26/4/2017 -- 22:01:00 - <info>-- 13403 signatures processed. 23 are IP-only rules, 6352 are inspecting packet payload, 9128 inspect application layer, 103 are decoder event only
26/4/2017 -- 22:07:14 - <info>-- Threshold config parsed: 0 rule(s) found
26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb0 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc58 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb1 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc59 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb2 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc5a to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb3 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc5b to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface lo0 IPv6 address 0000:0000:0000:0000:0000:0000:0000:0001 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface lo0 IPv6 address fe80:0000:0000:0000:0000:0000:0000:0001 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface lo0 IPv4 address 127.0.0.1 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb1_vlan120 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc59 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb1_vlan120 IPv4 address 10.1.2.1 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb3_vlan300 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc5b to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb3_vlan300 IPv4 address 10.1.3.1 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb1_vlan3 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc59 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb1_vlan3 IPv4 address 192.168.50.1 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb1_vlan3 IPv4 address 10.10.10.1 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb1_vlan400 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc59 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb1_vlan400 IPv4 address 192.168.52.1 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb1_vlan500 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc59 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb1_vlan500 IPv4 address 192.168.53.1 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb1_vlan1 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc59 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb2_vlan600 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc5a to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb2_vlan600 IPv4 address 192.168.54.1 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb0_vlan100 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc58 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb0_vlan100 IPv4 address 94.61.130.159 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <info>-- alert-pf output device (regular) initialized: block.log
26/4/2017 -- 22:07:14 - <info>-- Pass List /usr/local/etc/suricata/suricata_44765_igb0_vlan100/passlist parsed: 19 IP addresses loaded.
26/4/2017 -- 22:07:14 - <info>-- Created firewall interface IP change monitor thread for auto-whitelisting of firewall interface IP addresses.
26/4/2017 -- 22:07:14 - <info>-- alert-pf output initialized, pf-table=snort2c  block-ip=src  kill-state=on
26/4/2017 -- 22:07:14 - <error>-- [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - Unknown logger type: name=AlertPf
26/4/2017 -- 22:07:14 - <info>-- fast output device (regular) initialized: alerts.log
26/4/2017 -- 22:07:14 - <info>-- http-log output device (regular) initialized: http.log
26/4/2017 -- 22:07:14 - <info>-- Using 1 live device(s).
26/4/2017 -- 22:07:14 - <warning>-- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Name of device should not be null
26/4/2017 -- 22:07:14 - <info>-- using interface igb0_vlan100
26/4/2017 -- 22:07:14 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
26/4/2017 -- 22:07:14 - <info>-- Found an MTU of 1500 for 'igb0_vlan100'
26/4/2017 -- 22:07:14 - <info>-- Set snaplen to 1524 for 'igb0_vlan100'
26/4/2017 -- 22:07:14 - <info>-- using magic-file /usr/share/misc/magic
26/4/2017 -- 22:07:14 - <info>-- using magic-file /usr/share/misc/magic
26/4/2017 -- 22:07:14 - <info>-- using magic-file /usr/share/misc/magic
26/4/2017 -- 22:07:14 - <info>-- using magic-file /usr/share/misc/magic
26/4/2017 -- 22:07:14 - <info>-- RunModeIdsPcapAutoFp initialised
26/4/2017 -- 22:07:14 - <notice>-- all 5 packet processing threads, 2 management threads initialized, engine started.
26/4/2017 -- 22:07:15 - <info>-- No packets with invalid checksum, assuming checksum offloading is NOT used</info></notice></info></info></info></info></info></info></info></info></info></warning></info></info></info></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></notice></info></info></notice>

      What's wrong?

      1 Reply Last reply Reply Quote 0
      • bmeeks
        bmeeks last edited by

        @Hugovsky:

        I'm using suricata in legacy mode and I can't make it block. Alerting is working but it doesn't block.

        I'm using 2.4 latest snapshot with pfBlocker and freeradius. M/B supermicro A1SRi-2558 (c2558) with 16GB ram. I've tried uninstall and install suricata, reboot and everything I could remember.

        suricata log:

        26/4/2017 -- 22:00:46 - <notice>-- This is Suricata version 3.2.1 RELEASE
26/4/2017 -- 22:00:46 - <info>-- CPUs/cores online: 4
26/4/2017 -- 22:00:46 - <info>-- HTTP memcap: 67108864
26/4/2017 -- 22:00:46 - <notice>-- using flow hash instead of active packets
26/4/2017 -- 22:01:00 - <info>-- 3 rule files processed. 13392 rules successfully loaded, 0 rules failed
26/4/2017 -- 22:01:00 - <info>-- 13403 signatures processed. 23 are IP-only rules, 6352 are inspecting packet payload, 9128 inspect application layer, 103 are decoder event only
26/4/2017 -- 22:07:14 - <info>-- Threshold config parsed: 0 rule(s) found
26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb0 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc58 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb1 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc59 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb2 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc5a to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb3 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc5b to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface lo0 IPv6 address 0000:0000:0000:0000:0000:0000:0000:0001 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface lo0 IPv6 address fe80:0000:0000:0000:0000:0000:0000:0001 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface lo0 IPv4 address 127.0.0.1 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb1_vlan120 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc59 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb1_vlan120 IPv4 address 10.1.2.1 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb3_vlan300 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc5b to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb3_vlan300 IPv4 address 10.1.3.1 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb1_vlan3 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc59 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb1_vlan3 IPv4 address 192.168.50.1 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb1_vlan3 IPv4 address 10.10.10.1 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb1_vlan400 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc59 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb1_vlan400 IPv4 address 192.168.52.1 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb1_vlan500 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc59 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb1_vlan500 IPv4 address 192.168.53.1 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb1_vlan1 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc59 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb2_vlan600 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc5a to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb2_vlan600 IPv4 address 192.168.54.1 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb0_vlan100 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc58 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <info>-- alert-pf -> adding firewall interface igb0_vlan100 IPv4 address 94.61.130.159 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <info>-- alert-pf output device (regular) initialized: block.log
26/4/2017 -- 22:07:14 - <info>-- Pass List /usr/local/etc/suricata/suricata_44765_igb0_vlan100/passlist parsed: 19 IP addresses loaded.
26/4/2017 -- 22:07:14 - <info>-- Created firewall interface IP change monitor thread for auto-whitelisting of firewall interface IP addresses.
26/4/2017 -- 22:07:14 - <info>-- alert-pf output initialized, pf-table=snort2c  block-ip=src  kill-state=on
26/4/2017 -- 22:07:14 - <error>-- [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - Unknown logger type: name=AlertPf
26/4/2017 -- 22:07:14 - <info>-- fast output device (regular) initialized: alerts.log
26/4/2017 -- 22:07:14 - <info>-- http-log output device (regular) initialized: http.log
26/4/2017 -- 22:07:14 - <info>-- Using 1 live device(s).
26/4/2017 -- 22:07:14 - <warning>-- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Name of device should not be null
26/4/2017 -- 22:07:14 - <info>-- using interface igb0_vlan100
26/4/2017 -- 22:07:14 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
26/4/2017 -- 22:07:14 - <info>-- Found an MTU of 1500 for 'igb0_vlan100'
26/4/2017 -- 22:07:14 - <info>-- Set snaplen to 1524 for 'igb0_vlan100'
26/4/2017 -- 22:07:14 - <info>-- using magic-file /usr/share/misc/magic
26/4/2017 -- 22:07:14 - <info>-- using magic-file /usr/share/misc/magic
26/4/2017 -- 22:07:14 - <info>-- using magic-file /usr/share/misc/magic
26/4/2017 -- 22:07:14 - <info>-- using magic-file /usr/share/misc/magic
26/4/2017 -- 22:07:14 - <info>-- RunModeIdsPcapAutoFp initialised
26/4/2017 -- 22:07:14 - <notice>-- all 5 packet processing threads, 2 management threads initialized, engine started.
26/4/2017 -- 22:07:15 - <info>-- No packets with invalid checksum, assuming checksum offloading is NOT used</info></notice></info></info></info></info></info></info></info></info></info></warning></info></info></info></error></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></info></notice></info></info></notice>

        What's wrong?

        Here is the likely problem  – (copied from your posted log output)

        26/4/2017 -- 22:07:14 - <error> -- [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - Unknown logger type: name=AlertPf</error>

        I have no idea how or why you are getting this error, though.  Did you perhaps accidentially install a base port of Suricata instead of the specially patched version from the pfSense repository?  This error is indicative of the custom AlertPf plugin missing from the binary.

        UPDATE:

        I found the cause.  A slight change in the baseline Suricata code from upstream slipped by me during testing.  That change causes the custom alert-pf blocking plugin to not get properly registered.  When I tested the new 3.2.1 updated, I was rushed and only tested inline IPS mode since I was concentrating on hyperscan.  I also did not expect any issues with Legacy Mode since my patch (custom plugin) applied just fine.  I will work on a fix and get it posted for the pfSense team to approve and merge.  This only impacts Suricata 3.2.1 users.

        Bill

        1 Reply Last reply Reply Quote 0
        • H
          Hugovsky last edited by

          Thanks, bmeeks. I was getting crazy about it. I've searched everywhere and couldn't find an answer. I posted in the forum as a last resort to try to find a solution.

          Thanks again for your work.

          1 Reply Last reply Reply Quote 0
          • bmeeks
            bmeeks last edited by

            The fix for this has been posted in a Pull Request.  It will be merged into 2.4-BETA shortly.  I elected not to bump the binary package version, though, so as not to get out of sync with Suricata upstream.  This means you won't see an updated package notice in the pfSense Package Manager GUI.  So as soon as the update is merged into 2.4-BETA, I will post an update here and impacted users can simply remove the Suricata package and reinstall to pickup the fixed binary package.

            My understanding from the pfSense team is that Suricata 3.2.1 (with the fixed binary) will be made available with the release of pfSense 2.3.4 and will not be backported to 2.3.3.  That's the last word I had.

            UPDATE:
            The fix for the alert-pf custom blocking plugin used with Suricata 3.2.1 on pfSense has been merged for 2.4-BETA users.  If you use Legacy Mode blocking with Suricata on a pfSense 2.4-BETA system, then you will need to remove the Suricata package and reinstall it to be sure you get the updated binary.  So long as the "save settings" checkbox is checked on the GLOBAL SETTINGS tab (and the default is "checked" unless you changed it), then you won't lose any Suricata settings when you remove and reinstall.

            The problem with Legacy Mode blocking was caused by the alert-pf custom blocking plugin that I wrote for Suricata failing to register itself properly during startup.  There have been some slight changes in the way Output Modules work in Suricata and I had not kept pace with them.  I finally got bitten by my complacency …  :-[.  That code had worked for so long that I took for granted it would continue to work so long as my patch applied successfully to the baseline code.  Turns out that was not really the case.

            Bill

            1 Reply Last reply Reply Quote 0
            • H
              Hugovsky last edited by

              You're the man, bmeeks. Thank you again. Upgrading now.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post

              Products

              • Platform Overview
              • TNSR
              • pfSense
              • Appliances

              Services

              • Training
              • Professional Services

              Support

              • Subscription Plans
              • Contact Support
              • Product Lifecycle
              • Documentation

              News

              • Media Coverage
              • Press
              • Events

              Resources

              • Blog
              • FAQ
              • Find a Partner
              • Resource Library
              • Security Information

              Company

              • About Us
              • Careers
              • Partners
              • Contact Us
              • Legal
              Our Mission

              We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

              Subscribe to our Newsletter

              Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

              © 2021 Rubicon Communications, LLC | Privacy Policy