Suricata not dropping/blocking in legacy mode.

010702 · Sep 28, 2017, 11:52 PM

Hey all,

I have Suricata set up with a custom rule to drop anything coming in to port 23 (anybody connecting on that port is someone to block as I never use it). It logs correctly but does not block the IP at all.

Help?

010702 · Sep 28, 2017, 11:59 PM

My mistake. If you have it running on the LAN interface it recognises the telnet traffic but doesn't block. If I run it on the WAN it blocks the traffic.

bmeeks · Sep 29, 2017, 1:16 AM

How did you structure the flow direction? Is your rule structured to trigger on flows from EXTERNAL_NET to HOME_NET, or from HOME_NET to EXTERNAL_NET? Remember your LAN addresses will, by default, be in HOME_NET.

Bill

010702 · Sep 29, 2017, 12:21 PM

drop tcp any any -> any 23 (msg: "Telnet login"; classtype:attempted-recon; sid:9000001; rev:1;)

bmeeks · Sep 29, 2017, 3:34 PM

It may not be blocking due to the automatic Pass List generated in Legacy Mode. Check the IP addresses in the Pass List by clicking the View button next to the Pass List drop-down selector on the INTERFACE SETTINGS tab. Any address in that list will never be blocked (but will still generate an alert). You can create a customized Pass List and remove addresses that you want to get blocked, but be careful if this is new territory for you. You can easily lock yourself out.

In general the default settings for a Pass List work for the majority of uses.

Bill