Suricata weird src/dst IP addresses



  • Hi,

    First off, been a longtime pfSense fan and recently dived back in to Suricata, really liking it so far and certainly takes some time to understand.

    Onto my question:

    My pfSense has two interfaces, LAN and WAN (Suricata).

    I'm receiving a lot of alerts with both src & dst IP addresses that are totally outside of my WAN IP range. Can someone explain to me how this can be and what it means? Is it even a cause for concern?

    Thanks!



  • @malf0rmedZ said in Suricata weird src/dst IP addresses:

    My pfSense has two interfaces, LAN and WAN (Suricata).

    Hi,

    @malf0rmedZ "My pfSense has two interfaces, LAN and WAN (Suricata)."

    Please read the packages maintainer @bmeeks (Suricata / Snort) suggestion:
    https://forum.netgate.com/topic/141743/best-rules-to-best-protection-in-wan-and-lan-interface/2

    (I am thinking specifically of the WAN interface)
    Bill, "Configure Snort on your LAN interface only. There is generally no extra security obtained by putting an instance on your WAN as the WAN, by default in pfSense, drops all unsolicited inbound traffic anyway."



  • @malf0rmedZ said in Suricata weird src/dst IP addresses:

    Hi,

    First off, been a longtime pfSense fan and recently dived back in to Suricata, really liking it so far and certainly takes some time to understand.

    Onto my question:

    My pfSense has two interfaces, LAN and WAN (Suricata).

    I'm receiving a lot of alerts with both src & dst IP addresses that are totally outside of my WAN IP range. Can someone explain to me how this can be and what it means? Is it even a cause for concern?

    Thanks!

    What are these IP addresses you are seeing. Are they possibly multicast addresses? Or are they IPv6 link-local addresses maybe? You need to post them up so we can see. You've basically no helpful troubleshooting information.

    And the advice echoed by @DaddyGo is good! The new recommendation is to run the IDS/IPS packages on internal interfaces and not the WAN.



  • Hi and thank you both for your answers.

    I looked again and realized something:

    1. My WAN IP and the IP address I get when I browse the web are two different addresses.
    2. Some alerts have my WAN IP. Some as the src and some as the dst.
    3. Majority of alerts are without my WAN IP

    Suricata on WAN int:

    06/13/2020-02:39:25.736100  [**] [1:2200076:2] SURICATA ICMPv4 invalid checksum [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {ICMP} 147.234.44.251:0 -> 10.19.119.84:0
    06/13/2020-02:52:49.522436  [**] [1:2210054:1] SURICATA STREAM excessive retransmissions [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 162.208.119.40:443 -> 10.19.119.84:25394
    06/13/2020-07:29:22.199398  [**] [1:2224003:1] SURICATA IKEv2 weak cryptographic parameters (PRF) [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {UDP} 82.102.137.8:500 -> 10.19.119.84:500
    06/13/2020-07:29:22.199398  [**] [1:2224005:2] SURICATA IKEv2 weak cryptographic parameters (Diffie-Hellman) [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {UDP} 82.102.137.8:500 -> 10.19.119.84:500
    06/13/2020-07:29:52.367524  [**] [1:2224003:1] SURICATA IKEv2 weak cryptographic parameters (PRF) [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {UDP} 82.102.137.40:500 -> 10.19.119.84:500
    06/13/2020-07:29:52.367524  [**] [1:2224005:2] SURICATA IKEv2 weak cryptographic parameters (Diffie-Hellman) [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {UDP} 82.102.137.40:500 -> 10.19.119.84:500
    06/13/2020-07:30:36.506659  [**] [1:2224003:1] SURICATA IKEv2 weak cryptographic parameters (PRF) [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {UDP} 82.102.137.8:500 -> 10.19.119.84:500
    06/13/2020-07:30:36.506659  [**] [1:2224005:2] SURICATA IKEv2 weak cryptographic parameters (Diffie-Hellman) [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {UDP} 82.102.137.8:500 -> 10.19.119.84:500
    06/13/2020-07:33:16.441765  [**] [1:2200036:2] SURICATA TCP option invalid length [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 10.19.119.84:35587 -> 31.13.86.8:443
    06/13/2020-07:45:11.170968  [**] [1:2210044:2] SURICATA STREAM Packet with invalid timestamp [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 10.19.119.84:16344 -> 195.192.230.12:443
    06/13/2020-07:45:11.171100  [**] [1:2210044:2] SURICATA STREAM Packet with invalid timestamp [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 10.19.119.84:16344 -> 195.192.230.12:443
    06/13/2020-07:45:11.171104  [**] [1:2210044:2] SURICATA STREAM Packet with invalid timestamp [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 10.19.119.84:16344 -> 195.192.230.12:443
    06/13/2020-07:45:11.171107  [**] [1:2210044:2] SURICATA STREAM Packet with invalid timestamp [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 10.19.119.84:16344 -> 195.192.230.12:443
    06/13/2020-07:45:11.171109  [**] [1:2210044:2] SURICATA STREAM Packet with invalid timestamp [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 10.19.119.84:16344 -> 195.192.230.12:443
    06/13/2020-07:45:11.171112  [**] [1:2210044:2] SURICATA STREAM Packet with invalid timestamp [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 10.19.119.84:16344 -> 195.192.230.12:443
    06/13/2020-07:45:11.171115  [**] [1:2210044:2] SURICATA STREAM Packet with invalid timestamp [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 10.19.119.84:16344 -> 195.192.230.12:443
    

    I switched Suricata to the LAN int as per the recommendation and will continue to monitor the situation.



  • @malf0rmedZ said in Suricata weird src/dst IP addresses:

    Hi and thank you both for your answers.

    I looked again and realized something:

    1. My WAN IP and the IP address I get when I browse the web are two different addresses.
    2. Some alerts have my WAN IP. Some as the src and some as the dst.
    3. Majority of alerts are without my WAN IP

    I see IKEv2 alerts in the log snippet you posted. Are you running a VPN client of some type?

    Typically when your WAN public IP showing in pfSense is different from the WAN IP you see when using an external tester such as a web site, it means your ISP is using CNAT (Carrier-Grade NAT). In other words, your connection is in effect double-NAT'd. Which of the IP addresses in that log snippet you posted is the one showing as your public WAN IP in pfSense?

    When you run Suricata (or Snort) on the WAN all of the outgoing traffic the IDS/IPS sees is after NAT is applied. So that means all of your internal LAN hosts will have their real LAN IP addresses NAT'd to your WAN public IP, and that is what will show in the alerts. So you will not see the LAN IP address of any internal hosts when you run Suricata on the WAN. That's why you should put it on the LAN instead.

    In Legacy Blocking Mode, and in alert-only non-blocking mode, Suricata places the interface it runs on in promiscuous mode. That will let it see all traffic on the wire and not just traffic targeted strictly to that interface. If your ISP is doing a poor job of isolating their customers on the customers' WAN side, promiscuous mode can highlight that.



  • Thanks @bmeeks

    Yes I am seeing many of those IKE alerts consistently, including from my son's iPhone :( !

    Thank you for the explanation around CNAT, had no idea. None of the IPs in the snippet above contain my WAN IP.

    Makes total sense re the noise caught when Suricata is applied to the WAN interface, clearly shows my ISP isn't doing a terribly clean job, but hey they're cheap so I can't complain :)


Log in to reply