Suricata 6 using ET rule 2009582 incorrectly blocking $HOME_NET *and* $EXTERNAL_NET
-
Two days ago, I finally updated to pfSense 2.5.0. Along with it came updates to pfBlockerNG 3.0.0_15, and Suricata 6.0.0_9.
For a very long time, I have used the "ET Scan" rule category in Suricata on both my LAN and WAN, and I have tweaked the rules to avoid FPs. Of all of the active rules that I have not disabled in my SID files, I have them set to DROP traffic. Again, this has worked flawlessly for years.
Problem is, I have recently encountered an issue where rule 2009582 (https://doc.emergingthreats.net/2009582) is causing a drop not just on $EXTERNAL_NET addresses (which is what I want, and which is all that has ever happened, for years!), is also dropping $HOME_NET addresses. Makes no sense!
For instance, in both of the following activities, not only were the external IP addresses put in the block list (good), but 192.168.0.6 was put in Suricata's block list as well (bad!)!
Important note: I enabled IPv6 on the firewall today. Could that play a role?
03/16/2021
18:33:53 2 TCP Attempted Information Leak 176.58.101.217
31607 192.168.0.6
443 1:2009582
ET SCAN NMAP -sS window 102403/16/2021
17:33:48 2 TCP Attempted Information Leak 89.190.156.200
50386 192.168.0.6
80 1:2009582
ET SCAN NMAP -sS window 1024 -
Also, yes, I want to run the ET Scan rulesets on the LAN interface; there are many good ones that can help me identify oddities on the outbound. A rule like https://doc.emergingthreats.net/2009582 should never block $HOME_NET.
-
Are you using Inline IPS Mode or Legacy Mode Blocking? You mention "block list", so maybe you mean the IP showing up on the BLOCKS tab, but just want to be sure which mode you have in service.
If using Legacy Mode Blocking, you will need to actually look at the Pass List contents on your LAN interface. Go to INTERFACES, click to edit the LAN interface, and then click the View List button beside Pass List to see what the actual contents are. Do you see the 192.168.0.0/24 network listed? I'm assuming its a /24 subnet, but whatever the mask you should see it listed. If not, then something is not registering properly.
If you are using Inline IPS Mode, then there is no Pass List as that has no meaning with that mode.
-
@bmeeks I am using legacy mode. The pass list is:
1.1.1.2/32
127.0.0.1/32
{public IPv4s}
192.168.0.0/24
192.168.100.100/32
{public IPv6s}
::1/128
fe80::1:1/128 -
For what it's worth, rebooting my pfSense box seems to have stopped this for now.