Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Having problems lately with suricata.

    IDS/IPS
    2
    5
    95
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Bob.Dig
      Bob.Dig last edited by Bob.Dig

      @bmeeks Hi. Like the title says, I had some bad experience lately.

      Some weeks ago I had some very bad connection problems with my main machine. I thought that somehow my asus router in AP-mode doing vlans would be the reason.
      After a reboot of pfSense everything was fine at first but later I got blocked again.

      After some days I found out, that suricta totally blocked my machine, probably because of a et-rule to block home phoning of Windows. But it should never ever block my machine right?

      I couldn't even connect to pfSense anymore. Like I said after some days of problems, I removed Suricta and the problem was gone.

      Lately I tried it again, this time running Suricata in inline-IPS-mode and only on LAN, which is an intel NIC, but also a parent interface of vlans. I only had activated the alert-mode, wasn't even blocking anything.
      But my phone, which is connected to a vlan on the asus-router, instantly hadn't had any internet anymore. So I ditched Suricata again.

      Is this expected behavior or is my pfSense install somehow flawed? I did uninstall Suricata and with that deleted its settings every time.

      1 Reply Last reply Reply Quote 0
      • bmeeks
        bmeeks last edited by

        Unless you modify it, there is an automatic "default" Pass List created by Suricata for each interface. That Pass List contains the WAN public IP, the interface IP address subnet of every local interface on the firewall, your configured DNS servers, the loopback addresses (IPv4 and IPv6) and the default gateway. No IP addresses in that list will get blocked.

        Now, if you have something downstream (that Asus wireless router) that is potentially NATing for your, that would be a problem as those NAT IP addresses would not be in a pass list. That's what I bet is happening.

        You need to look at the actual IP address of the device being blocked (look it up on the device itself), then go into the ALERTS tab with Suricata running and see if that IP is in an alert. If so, then go to the INTERFACE SETTINGS tab for the interface that blocked and open up and view the contents of the default Pass List. I'm betting that the IP you see blocked (your device) is not within the subnets listed in the default Pass List.

        Bob.Dig 1 Reply Last reply Reply Quote 1
        • Bob.Dig
          Bob.Dig @bmeeks last edited by

          @bmeeks The first time it was my main machine which has an IP-address of my LAN-network.
          The second time, like I said, there was no blocking active at all...

          I wonder, if my asus router doing the vlans is the problem and suricata doesn't like it at all. 😕

          bmeeks 1 Reply Last reply Reply Quote 0
          • bmeeks
            bmeeks @Bob.Dig last edited by

            @bob-dig
            Not being there to see your actual configuration, my bet is your Asus router is still in "router" mode and is doing NAT. You haven't shown me the actual IP addresses in use. If they are in RFC1918 space, there is no privacy issue at all with sharing them here.

            Show me the IP subnet of your LAN, the actual IP addresses your phone and PC are using, and a screenshot of the BLOCKS tab of Suricata when one of your devices is not working.

            One other point, Suricata and Snort "block" by sending the offender's IP address to the firewall where it is added to a table. Stopping Suricata or Snort on the interface, or even disabling blocking on the interface will NOT remove the IP from the firewall's table. It will still be blocked. You must manually clear any blocks!

            Bob.Dig 1 Reply Last reply Reply Quote 1
            • Bob.Dig
              Bob.Dig @bmeeks last edited by Bob.Dig

              @bmeeks I have uninstalled Suricata so I can't show you everything right now. The router is in AP-mode but the vlan functionality is not something it would normally do, it is only possible by running some scripts on it. Snort2c is empty right now.
              I will come back to you, next time I try suricata. Thank you. 🖖

              1 Reply Last reply Reply Quote 1
              • First post
                Last post

              Products

              • Platform Overview
              • TNSR
              • pfSense Plus
              • Appliances

              Services

              • Training
              • Professional Services

              Support

              • Subscription Plans
              • Contact Support
              • Product Lifecycle
              • Documentation

              News

              • Media Coverage
              • Press
              • Events

              Resources

              • Blog
              • FAQ
              • Find a Partner
              • Resource Library
              • Security Information

              Company

              • About Us
              • Careers
              • Partners
              • Contact Us
              • Legal
              Our Mission

              We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

              Subscribe to our Newsletter

              Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

              © 2021 Rubicon Communications, LLC | Privacy Policy