Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HA PROXY + Inline Snort -> Blocks HAPROXY IP

    Scheduled Pinned Locked Moved IDS/IPS
    9 Posts 3 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      crester
      last edited by

      Hello.
      This is my scenario:

      PFSENSE-HAPROXY -> PFSENSE-SNORT -> WEBSERVER

      Snort is Blocking Offenders.

      if I attack public IP from the webserver, Snort see the attack and add HAPROXY Internal IP to the block lists.
      Added enable_xff in the snort configuration, X-Forwarded-For is captured in pcap, but not in logs and still blocking the HAPROXY internal ip .

      Can someone help me ?

      Thank you.
      Regards.

      1 Reply Last reply Reply Quote 0
      • C
        crester
        last edited by

        Well,
        I have been able to block real offenders instead of the internal IP of the HAPROXY configuring it in transparent mode.
        I don't like too much but it is a solution by now, I hope will be a workaround.

        kr

        1 Reply Last reply Reply Quote 0
        • T
          tsmalmbe
          last edited by

          Wake up.

          This is still an issue. Is there a way to make Snort block the real ip?

          Security Consultant at Mint Security Ltd - www.mintsecurity.fi

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @tsmalmbe
            last edited by bmeeks

            @tsmalmbe said in HA PROXY + Inline Snort -> Blocks HAPROXY IP:

            Wake up.

            This is still an issue. Is there a way to make Snort block the real ip?

            No, unless you move the proxy to transparent mode. Snort sits directly on the interface NIC and sees all the raw packets in promiscuous mode. The blocking plugin, which is what's called an "output plugin" in Snort, gets the raw packet to pull IP addresses from for blocking. It uses the actual SRC and DST IP addresses in the raw packet for block decisions. It does not follow the packet protocol (HTTP, SMTP, etc.) to figure out proxy IPs, X-Forwarded-For IPs, and so forth.

            There are other special logging facilities within Snort that extract the X-Forwarded-For information and send that to logs, but that information is not there for the blocking plugin.

            1 Reply Last reply Reply Quote 0
            • T
              tsmalmbe
              last edited by

              @bmeeks said in HA PROXY + Inline Snort -> Blocks HAPROXY IP:

              No, unless you move the proxy to transparent mode. Snort sits directly on the interface NIC and sees all the raw packets in promiscuous mode. The blocking plugin, which is what's called an "output plugin" in Snort, gets the raw packet to pull IP addresses from for blocking. It uses the actual SRC and DST IP addresses in the raw packet for block decisions. It does not follow the packet protocol (HTTP, SMTP, etc.) to figure our proxy IPs, X-Forwarded-For IPs, and so forth.
              There are other special logging facilities within Snort that extract the X-Forwarded-For information and send that to logs, but that information is not there for the blocking plugin.

              So could you offer some "best practice" advice for this - apart from running transparent - which seems like a major architectural decision and change? As it currently stands, the dest & src are blocked when something fishy is found by Snort - and dest is the webserver adn src is pfsense - this is not really nice. Anything in the way of whitelisting or something that we could do to still keep Snort running but avoiding blocking our internal ip's?

              Open to suggestions.

              Security Consultant at Mint Security Ltd - www.mintsecurity.fi

              bmeeksB 1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks @tsmalmbe
                last edited by bmeeks

                @tsmalmbe
                There are two solutions, and which you use depends on the IP address of the proxy.

                If the proxy has a LAN address, then the default pass list should already include your LAN network block (for example, 192.168.0.0/24). That should prevent the proxy's IP from being blocked. Check on the INTERFACE SETTINGS tab for the interface where the proxy is located and make sure the Pass List is set to "default".

                If the proxy has a different address, then you can create a firewall alias that contains the proxy's IP address (and perhaps other internal hosts you may want to whitelist). Create a custom pass list on the PASS LISTS tab. I recommend leaving all the default items checked for the new list, and then in the Address box type in the name of the alias you created for the proxy. Save the new pass list, and then go to the INTERFACE SETTINGS tab and choose the new pass list in the Pass List drop-down. Save the change and restart Snort on the interface.

                This should prevent the proxy's IP from being blocked. Also, the firewall should never block its own interface IP addresses. There is an automatically internally generated pass list within Snort that takes care of that. What IP address of the firewall itself is being blocked? Do you actually see that IP in the BLOCKED tab?

                1 Reply Last reply Reply Quote 0
                • T
                  tsmalmbe
                  last edited by

                  Further investigation reveales that it is rarely the firewall nor the haproxy ip that is blocked, but rather the webserver behind haproxy. I have already set up passlists for everything except the webserver.

                  Security Consultant at Mint Security Ltd - www.mintsecurity.fi

                  bmeeksB 1 Reply Last reply Reply Quote 0
                  • bmeeksB
                    bmeeks @tsmalmbe
                    last edited by

                    @tsmalmbe said in HA PROXY + Inline Snort -> Blocks HAPROXY IP:

                    Further investigation reveales that it is rarely the firewall nor the haproxy ip that is blocked, but rather the webserver behind haproxy. I have already set up passlists for everything except the webserver.

                    Sounds like then, from your description, that adding the web server's IP to your existing pass list should solve the problem. Easiest way to do this is to create that alias I mentioned and then use it within the custom pass list. Don't forget to make sure the custom pass list is selected in the Pass List drop-down selection on the INTERFACE SETTINGS page (and Snort is restarted after any change is made on that page).

                    1 Reply Last reply Reply Quote 0
                    • T
                      tsmalmbe
                      last edited by

                      Just to finish off this thread - the workaround by adding the server ip to the interface passlist works in the sense that the server ip is no longer getting blocked. The downside of course is, that this server is now completely without protection from Snort.

                      Security Consultant at Mint Security Ltd - www.mintsecurity.fi

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.