Suricata blocking IPs on Pass List
-
I know there are a bunch of posts floating around about this but I've followed everything I can find and it isn't working.
I have an alias called "Suricata_Aliases" that comprises all my other aliases (Email, Intuit, LogMeIn, Trustwave, etc.).
I then take that alias and create a Pass List of "Suricata_passlist".
On Interfaces -> WAN I have that Pass List selected and saved. IPS mode is set to Legacy.
When I click on View List, I can see all of the IPs that should be in there.I've saved, reloaded, and removed and recreated. Suricata is still blocking those IPs. What am I missing?
Install:
Version 2.4.1-RELEASE (amd64)
built on Sun Oct 22 17:26:33 CDT 2017
FreeBSD 11.1-RELEASE-p2Package:
suricata 4.0.0_2I know I need to update but I haven't had the chance to take the site offline yet. Thanks in advance!
-
I can't honestly say I know what the problem was, but I was able to fix it. I created a new alias for Suricata that encompased my other aliases and it worked. The old one was called "Suricata_Aliases" while the new is "Test_Suricata_Aliases" if that makes a difference.
Edit: Just to be clear, they both include the exact same aliases so the information in them should be the same.
-
I guess it's an ongoing issue. I have another router at a second location I'm setting up Suricata on. This one is version 2.4.3-Release-p1 with Suricata at version 4.0.4_1 so both should be fully up to date. I have a list of aliases with a master Suricata alias that contains the other aliases. I set the Suricata alias to be the alias for the pass list. I set the pass list as active on the WAN port. If I click "View List" I can see the IPs in that list but those IPs are still getting blocked. The package is set to Legacy Mode.
-
@stewart
Brainstorming...did you restart Suricata on the interface after setting the pass list? -
@teamits I restarted the service. Do I need to disable and re-enable on the interface?
-
@stewart
No, restarting Suricata (on "Services/Suricata/Interfaces" page) should pick up the settings. Before changing to Inline (which doesn't use pass lists) that's how we had it set up, so it at least used to work. -
@teamits I restarted at Status-Services. I'll try doing it directly on the interface to stop and start to see if that fixes it.
-
@teamits That seems to have worked. I guess maybe restarting the global service resets any global settings and restarting on the interface updates the interface settings but restarting the global service didn't seem to update the interface settings.