Suricata inline - passlists and blocking - no alerts



  • Hello,

    I recently reinstalled pfsense and also suricata. Had saved my enablesid/dropsid/disablesid files which were working fine on my previous pfsense installation.

    With the new installation something in my sid rule files keeps blocking internet. I would like to find out which sid is being blocked but there are no alerts appearing on the alerts page… how can I troubleshoot which alert is making suricata block traffic without seeing any alerts on the tab ? is there a log file somewhere i can download and browse through ?

    Also have a second questions, I added a passlist, and added the pfsense IP and my wan IP to the passlist. How does suricata blocking work, which side gets blocked ?

    For example someone send some malicious traffic from 48.235.223.23 to pfsense on public ip 45.43.54.212  , suricata detects, now I am wondering does suricata block both ips ? or just the 48.235.223.23 ? or 45.43.54.212 blocking my connections ?

    What happens when I add my ips to a pass list, does this mean the malicious sender from 48.235.223.23 also gets through because my wan/gw ip are on a passlist ?

    Thanks!



  • @Greenhill:

    Hello,

    I recently reinstalled pfsense and also suricata. Had saved my enablesid/dropsid/disablesid files which were working fine on my previous pfsense installation.

    With the new installation something in my sid rule files keeps blocking internet. I would like to find out which sid is being blocked but there are no alerts appearing on the alerts page… how can I troubleshoot which alert is making suricata block traffic without seeing any alerts on the tab ? is there a log file somewhere i can download and browse through ?

    Also have a second questions, I added a passlist, and added the pfsense IP and my wan IP to the passlist. How does suricata blocking work, which side gets blocked ?

    For example someone send some malicious traffic from 48.235.223.23 to pfsense on public ip 45.43.54.212  , suricata detects, now I am wondering does suricata block both ips ? or just the 48.235.223.23 ? or 45.43.54.212 blocking my connections ?

    What happens when I add my ips to a pass list, does this mean the malicious sender from 48.235.223.23 also gets through because my wan/gw ip are on a passlist ?

    Thanks!

    Are you using Legacy Mode blocking or the Inline IPS Mode?  You should always be seeing alerts if you get blocks.  The only way that would not be the case is if your alerts log is very large and got rotated over into an archive and the new file is empty.  That would let a situation exist where the alert that caused a particular block is actually in the archived alert log and thus is not currently displayed on the ALERTS tab.  That tab pulls only from the currently active alert log.

    If using Legacy Mode, you can find any IP blocked by Suricata by going to DIAGNOSTICS > TABLES in pfSense and displaying the contents of the snort2c table.  Any IP addresses listed there were inserted by Suricata.

    Bill