Suricata & IPv6 Alerts

  • I’ve installed and configured Suricata with no issues; currently only using it on the WAN.  For blocking, I’m using the Inline IPS Mode; it seems to be working so far.  In System / Advanced / Networking, I’ve unchecked Allow IPv6.

    From the Suricata WAN Categories/Rules I’ve enabled, when I look at the Suricata Alerts, I see a lot of IPv6 addresses in the Src and Dst columns.  They seem to stem from entries in the decoder-events.rules:
    SURICATA zero length padN option
    SURICATA ICMPv6 unknown code
    Sport 131 and 132 are used.

    I’ve configured both entries for Rule action is drop.

    Nevertheless, I thought I disabled IPv6.  I have no devices on my network configured for IPv6.  Any suggestions as to why I’m seeing these IPv6 addresses in the the Src and Dst columns of the Suricata Alerts section?  Thanks.

  • Did you every figure out how to ignore alerts for IPv6 ICMP and multicast? I have a similar setup with the same issues on the WAN side. My provider refuses to turn off IPv6 on the cable modem. I have "Allow IPv6" unchecked in System -> Advanced -> Networking. I also have "IPv6 over IPv4" tunneling unchecked.

    I also don't understand why despite a firewall blocking everything unless allowed, we still see alerts for ICMP?

    My setup differs in that although I am using Suricata with blocking turned on, I am not in Inline Mode, not Legacy Mode. I am only using Snort Personal rules with the pre-set "Balanced" IPS Policy set and nothing else, yet.

    I see lots of things that I want to start messing with in System -> Advanced -> System Tunables to further turn off support... but I definitely don't fall into the pre-requisite "Advanced Users" category.

    However, my end goal is not to just suppress alerts and therefore allow IPv6 packets, but to just drop all IPv6 packets and not log any pattern alerts or logs in any system.

    If my provider or anyone wants to talk on IPv6 I want it to be a black hole of nothingness for them to waste their time on and not bug me about it.

    I have an HP switch that I setup an access list to drop all IPv6 on my LAN side, but that doesn't stop the thousands of alerts in the Suricata logs on the WAN port. Just stops all of the alerts on the LAN side. This is working perfectly, because anyone that leaves IPv6 enabled on their device just drops at the switch so I never hear about it on pfSense.

    Can I do something similar to this on the WAN side?

    ipv6 access-list "drop-all-v6"
         10 deny ipv6 ::/0 ::/0
    vlan 444
         name "YO_MAMA"
         untagged 1-48
         ip address
         ipv6 access-group "drop-all-v6" vlan-in

Log in to reply