HA PROXY + Inline Snort -> Blocks HAPROXY IP

crester

Hello.
This is my scenario:

PFSENSE-HAPROXY -> PFSENSE-SNORT -> WEBSERVER

Snort is Blocking Offenders.

if I attack public IP from the webserver, Snort see the attack and add HAPROXY Internal IP to the block lists.
Added enable_xff in the snort configuration, X-Forwarded-For is captured in pcap, but not in logs and still blocking the HAPROXY internal ip .

Can someone help me ?

Thank you.
Regards.

crester

Well,
I have been able to block real offenders instead of the internal IP of the HAPROXY configuring it in transparent mode.
I don't like too much but it is a solution by now, I hope will be a workaround.

kr

tsmalmbe

Wake up.

This is still an issue. Is there a way to make Snort block the real ip?

bmeeks

@tsmalmbe said in HA PROXY + Inline Snort -> Blocks HAPROXY IP:

Wake up.

This is still an issue. Is there a way to make Snort block the real ip?

No, unless you move the proxy to transparent mode. Snort sits directly on the interface NIC and sees all the raw packets in promiscuous mode. The blocking plugin, which is what's called an "output plugin" in Snort, gets the raw packet to pull IP addresses from for blocking. It uses the actual SRC and DST IP addresses in the raw packet for block decisions. It does not follow the packet protocol (HTTP, SMTP, etc.) to figure out proxy IPs, X-Forwarded-For IPs, and so forth.

There are other special logging facilities within Snort that extract the X-Forwarded-For information and send that to logs, but that information is not there for the blocking plugin.

tsmalmbe

@bmeeks said in HA PROXY + Inline Snort -> Blocks HAPROXY IP:

No, unless you move the proxy to transparent mode. Snort sits directly on the interface NIC and sees all the raw packets in promiscuous mode. The blocking plugin, which is what's called an "output plugin" in Snort, gets the raw packet to pull IP addresses from for blocking. It uses the actual SRC and DST IP addresses in the raw packet for block decisions. It does not follow the packet protocol (HTTP, SMTP, etc.) to figure our proxy IPs, X-Forwarded-For IPs, and so forth.
There are other special logging facilities within Snort that extract the X-Forwarded-For information and send that to logs, but that information is not there for the blocking plugin.

So could you offer some "best practice" advice for this - apart from running transparent - which seems like a major architectural decision and change? As it currently stands, the dest & src are blocked when something fishy is found by Snort - and dest is the webserver adn src is pfsense - this is not really nice. Anything in the way of whitelisting or something that we could do to still keep Snort running but avoiding blocking our internal ip's?

Open to suggestions.

bmeeks

@tsmalmbe
There are two solutions, and which you use depends on the IP address of the proxy.

If the proxy has a LAN address, then the default pass list should already include your LAN network block (for example, 192.168.0.0/24). That should prevent the proxy's IP from being blocked. Check on the INTERFACE SETTINGS tab for the interface where the proxy is located and make sure the Pass List is set to "default".

If the proxy has a different address, then you can create a firewall alias that contains the proxy's IP address (and perhaps other internal hosts you may want to whitelist). Create a custom pass list on the PASS LISTS tab. I recommend leaving all the default items checked for the new list, and then in the Address box type in the name of the alias you created for the proxy. Save the new pass list, and then go to the INTERFACE SETTINGS tab and choose the new pass list in the Pass List drop-down. Save the change and restart Snort on the interface.

This should prevent the proxy's IP from being blocked. Also, the firewall should never block its own interface IP addresses. There is an automatically internally generated pass list within Snort that takes care of that. What IP address of the firewall itself is being blocked? Do you actually see that IP in the BLOCKED tab?

tsmalmbe

Further investigation reveales that it is rarely the firewall nor the haproxy ip that is blocked, but rather the webserver behind haproxy. I have already set up passlists for everything except the webserver.

bmeeks

@tsmalmbe said in HA PROXY + Inline Snort -> Blocks HAPROXY IP:

Further investigation reveales that it is rarely the firewall nor the haproxy ip that is blocked, but rather the webserver behind haproxy. I have already set up passlists for everything except the webserver.

Sounds like then, from your description, that adding the web server's IP to your existing pass list should solve the problem. Easiest way to do this is to create that alias I mentioned and then use it within the custom pass list. Don't forget to make sure the custom pass list is selected in the Pass List drop-down selection on the INTERFACE SETTINGS page (and Snort is restarted after any change is made on that page).

tsmalmbe

Just to finish off this thread - the workaround by adding the server ip to the interface passlist works in the sense that the server ip is no longer getting blocked. The downside of course is, that this server is now completely without protection from Snort.