Suricata blocks traffic without alert

mind12

Hello,

I would like to request some help because I have been struggling with this for a long time.
I'm using Suricata 4.1.5_2 in Inline IPS mode with blocking enabled. Sometimes SSL webpages don't load however I can ping their network address and I can telnet to port 443. My workaround was to add the IP's of the pages to my custom Suricata rule and after that the sites load.

pass tcp $HOME_NET any -> [X.X.X.X] [80,443] (msg:"pass tcp traffic from HOME_NET to exceptions"; sid:100001;)
pass tcp [X.X.X.X] [80,443] -> $HOME_NET any (msg:"pass tcp traffic from EXT_NET to exceptions"; sid:100002;)

I've found the following thread in the forum. Am I hitting the same problem?
https://forum.netgate.com/topic/106910/suricata-ips-blocks-ssl-traffic-without-alert-log

Any idea how to troubleshoot this?

Thank you.

bmeeks

It's very likely the same "flowbits:noalert" flag in the rule is causing the issue. Use the fix suggested on the thread you linked. You can implement that solution using SID MGMT features.

A second alternative is to grep your active rules file (it will be in /usr/local/etc/suricata/suricata_xxxxx/rules/suricata.rules) and look for all rules using the "flowbits:noalert" tag. You could then find the ones impacting SSL and selectively disable them (or change just those SIDs to alert instead of drop).

In the path referenced above, the suricata_xxxxx part will have the the physical NIC interface and a random UUID that together uniquely identify that Suricata interface.

I've added a bug report to my internal tracker about this issue. I will change the DROP action modifier code in SID MGMT so that rules containing the "flowbits:noalert" tag are not changed to DROP automatically.

mind12

@bmeeks said in Suricata blocks traffic without alert:

"flowbits:noalert"

Great, detailed help as always. Thank you.
I solved this by searching for the following in my rules:

cat /usr/local/etc/suricata/suricata_11138_em0/rules/suricata.rules | grep "flowbits:noalert" | grep drop | grep 443

Fortunately there was only a few rules there, I changed these (sid:2024772-2024774) rules to alert and the connection worked afterwards.

However I'm still not seeing any alert in Suricata about this (must be the flowbits:noalert).
These were ET Trojan rules so at least an alert would be nice on hit. How to change them to generate an alert?

bmeeks

@mind12 said in Suricata blocks traffic without alert:

@bmeeks said in Suricata blocks traffic without alert:

"flowbits:noalert"

Great, detailed help as always. Thank you.
I solved this by searching for the following in my rules:

cat /usr/local/etc/suricata/suricata_11138_em0/rules/suricata.rules | grep "flowbits:noalert" | grep drop | grep 443

Fortunately there was only a few rules there, I changed these (sid:2024772-2024774) rules to alert and the connection worked afterwards.

However I'm still not seeing any alert in Suricata about this (must be the flowbits:noalert).
These were ET Trojan rules so at least an alert would be nice on hit. How to change them to generate an alert?

Do some research on what flowbits are all about and that will help you understand why they work like they do.

Here are some educational links. The first one is for Snort, but Suricata uses flowbits in exactly the same way.

https://www.snort.org/faq/resolving-flowbit-dependancies

https://suricata.readthedocs.io/en/suricata-4.1.4/rules/flow-keywords.html

Flowbits are very critical to proper operation and triggering of other dependent rules.

mind12

@bmeeks
Thank you, I understand now.

Could you please help me how should I change the state of all the rules with flowbits:noalert to Alert instead of Drop with SID mgmt?
I assume I should use modifysid.conf but there isn't such an example there.
I can't figure out using the regexp on the other thread:
pcre:^.?.?alert((?!flowbits\x3a\s*?noalert).)+.(sid\x3a\s*?.?.?.?.?.?.?;).+$

mind12

@bmeeks said in Suricata blocks traffic without alert:

2024772

Never mind, that command just changed all the flowbit rules to alert using the dropsid.conf.
I was confused by the name of the file dropsid.conf that it can't change anything to alert only to drop.

bmeeks

@mind12 said in Suricata blocks traffic without alert:

@bmeeks said in Suricata blocks traffic without alert:

2024772

Never mind, that command just changed all the flowbit rules to alert using the dropsid.conf.
I was confused by the name of the file dropsid.conf that it can't change anything to alert only to drop.

It's the drop-down selector where you pick the file that determines the action (changes for drop, enable or modify) and not the filename. You can choose any file for the action and whatever matches the PCRE in that file produces are then used for finding and modifying rules.