Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata 6 using ET rule 2009582 incorrectly blocking $HOME_NET *and* $EXTERNAL_NET

    Scheduled Pinned Locked Moved IDS/IPS
    5 Posts 2 Posters 706 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      drewsaur
      last edited by drewsaur

      Two days ago, I finally updated to pfSense 2.5.0. Along with it came updates to pfBlockerNG 3.0.0_15, and Suricata 6.0.0_9.

      For a very long time, I have used the "ET Scan" rule category in Suricata on both my LAN and WAN, and I have tweaked the rules to avoid FPs. Of all of the active rules that I have not disabled in my SID files, I have them set to DROP traffic. Again, this has worked flawlessly for years.

      Problem is, I have recently encountered an issue where rule 2009582 (https://doc.emergingthreats.net/2009582) is causing a drop not just on $EXTERNAL_NET addresses (which is what I want, and which is all that has ever happened, for years!), is also dropping $HOME_NET addresses. Makes no sense!

      For instance, in both of the following activities, not only were the external IP addresses put in the block list (good), but 192.168.0.6 was put in Suricata's block list as well (bad!)!

      Important note: I enabled IPv6 on the firewall today. Could that play a role?

      03/16/2021
      18:33:53 2 TCP Attempted Information Leak 176.58.101.217
      31607 192.168.0.6
      443 1:2009582
      ET SCAN NMAP -sS window 1024

      03/16/2021
      17:33:48 2 TCP Attempted Information Leak 89.190.156.200
      50386 192.168.0.6
      80 1:2009582
      ET SCAN NMAP -sS window 1024

      1 Reply Last reply Reply Quote 0
      • D
        drewsaur
        last edited by

        Also, yes, I want to run the ET Scan rulesets on the LAN interface; there are many good ones that can help me identify oddities on the outbound. A rule like https://doc.emergingthreats.net/2009582 should never block $HOME_NET.

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks
          last edited by

          Are you using Inline IPS Mode or Legacy Mode Blocking? You mention "block list", so maybe you mean the IP showing up on the BLOCKS tab, but just want to be sure which mode you have in service.

          If using Legacy Mode Blocking, you will need to actually look at the Pass List contents on your LAN interface. Go to INTERFACES, click to edit the LAN interface, and then click the View List button beside Pass List to see what the actual contents are. Do you see the 192.168.0.0/24 network listed? I'm assuming its a /24 subnet, but whatever the mask you should see it listed. If not, then something is not registering properly.

          If you are using Inline IPS Mode, then there is no Pass List as that has no meaning with that mode.

          D 1 Reply Last reply Reply Quote 0
          • D
            drewsaur @bmeeks
            last edited by

            @bmeeks I am using legacy mode. The pass list is:

            1.1.1.2/32
            127.0.0.1/32
            {public IPv4s}
            192.168.0.0/24
            192.168.100.100/32
            {public IPv6s}
            ::1/128
            fe80::1:1/128

            D 1 Reply Last reply Reply Quote 0
            • D
              drewsaur @drewsaur
              last edited by

              For what it's worth, rebooting my pfSense box seems to have stopped this for now.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.