Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata, Legacy Mode, "Block Offenders" not blocking

    Scheduled Pinned Locked Moved IDS/IPS
    4 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sremick
      last edited by

      Ok I've spent too many hours on this one, time to call for help.
      pfSense 2.4.5-RELEASE-p1
      Suricata 5.0.4

      To save time:

      1. I'm running Legacy Mode vs. Inline because after a lot of reading, I've been caused to sufficiently fear Inline Mode. Even though my igb/I211 NICs should support it. I get why Inline is technically "better" in formal enterprise setups, however I do not think it's critical for my application (home network). I have 50Mbit/s and my little pfSense box can keep up running Legacy.
      2. I get what the true purpose of an IDS is, and why in a true enterprise environment w/ a full-time infosec staff staring at an IDS dashboard all day, you would NOT want to just blindly auto-block everything and instead would want to be alerted so you can be actively selective. Again, this is just my home small network. I'm not staring at pfSense's dashboard 24/7 and always onsite. I've cherry-picked lists to subscribe to which are just stuff I DO want to auto-block. So for my use case, "Block Offenders" was designed exactly for me.

      So, with that out of the way, I'm trying to figure out why "Block Offenders" doesn't seem to be doing what it's designed to do. I see plenty of Suricata alerts every minute, but my Blocks list remains empty.

      My Pass List is set to the default settings. I'm unclear on whether I should be blocking SRC, DST or BOTH. The WAN firewall should be blocking unsolicited malicious traffic, but if the first step was a user clicking on something that made it in, it'd be the DST that would trigger Suricata so I'd want to block the DST in that case. Not shut down the client and not let them do anything on the internet anymore until I happen to get home. But if something was initiated on the outside first and made it in, then it's the SRC I want to block because they're the bad guy, not the DST. I'd think that the Pass list would address this and allow me to choose "BOTH" with my internal IPs being whitelisted, but something I read suggested that with it set to "BOTH" then if either SRC or DST are on the Pass list, then nothing is blocked. So I'm confused on proper usage here. And maybe it has nothing to do with my problem anyway.

      I'm sure I'm not providing sufficient additional information you need but to start I don't know what else, so ask away and I shall provide. Thanks in advance. :)

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        Let's start first with your last question about whether to block SRC, DST or BOTH. The correct selection is BOTH in most home network situations. The automatic Pass List feature that adds all internal networks to the default Pass List will prevent internal hosts from being blocked. But at the same time, that BOTH setting will block any host IP pulled from an alert that is NOT on the Pass List (usually the default pass list). So in this manner the "bad guy" is blocked whether he is the SRC or DST of the offending traffic, while at the same time the internal host is not permanently blocked as you typically do not want that. If that happens, the internal host can't go anywhere.

        When you configured the Legacy Blocking mode, did you also choose the option to "block DROPs only"? If so, then you will also need to manually change the default rule actions from ALERT to DROP for those rules which you want to actually block traffic.

        Another reason for blocking to seemingly not work is if you modified the Pass List content without fully understanding the ramifications of the changes.

        Finally, I have seen a number of users in the past who change the blocking mode on the INTERFACE SETTINGS tab, but then do not go and restart Suricata on the INTERFACES tab so it will pick up the change. Any changes to the blocking mode require a physical restart of Suricata on the interface.

        One last thing to check, the recommended setting for automatically clearing blocked hosts is 1 Hour and that is set on the GLOBAL SETTINGS tab. There is no point in blocking a host forever, so there is a cron task that clears blocks for a host when no additional traffic has been seen from that host within the interval selected on the GLOBAL SETTINGS tab. Perhaps that interval is configured on your box and you just happen to be checking alerts well after the block time has expired ??

        If one of the possibilities I listed does not apply to you, then post up a screen capture of your ALERTS tab showing the alerts you think should have resulted in blocks and let me take a look.

        S 1 Reply Last reply Reply Quote 0
        • S
          sremick @bmeeks
          last edited by

          @bmeeks said in Suricata, Legacy Mode, "Block Offenders" not blocking:

          Finally, I have seen a number of users in the past who change the blocking mode on the INTERFACE SETTINGS tab, but then do not go and restart Suricata on the INTERFACES tab so it will pick up the change. Any changes to the blocking mode require a physical restart of Suricata on the interface.

          You know... I know for a fact I did this several times earlier today. But it might have been while I still had the blocking setting set to "SRC" and not "BOTH". I went and reset Suricata on the interface again just now... and I'm getting entries in my block list now. I had it set to "BOTH" at some point last night too, but some sort of sequence of events wasn't correct I guess.

          I knew you were the best person to answer my question but I felt it was rude to call you out and @ you... so I was thrilled you were the one who responded. But now I feel stupid. :P

          My next problem isn't IDS-related but is pfSense UI-related so I'll do a new post in the appropriate section and not bug you. :) Thanks!

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            Glad you got it working for you. BOTH is the best choice for the "Which IP to Block" setting as I explained above.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.