Suricata 6.0.3_3 pass list missing all single IPs (alias, DNS)

SteveITS

I recently upgraded a client from pfSense 2.4.4 through 2.4.5 to 21.05.1, and Suricata package 6.0.3_3. I uninstalled Suricata first and installed it again when done. Afterwards I noticed the Suricata pass list is missing some IPs, but it has others. I noticed this because it blocked our office IP this morning.

passlist_26481 has one entry, alias Suricata_Trusted_Hosts.
passlist_26481 is assigned on LAN.

Suricata_Trusted_Hosts has 4 entries:
ITS_Office (alias for one IP)
207.229.162.105
ITSMailGuard (alias for several subnets)
192.168.16.5 (local IP scanning the network)

View List on the passlist shows some of these. The IP of ITS_Office is missing but the subnets in ITSMailGuard are listed. The two IPs are not listed. Maybe the .5 can be logically omitted since 192.168.16.0/24 is listed, but I don't understand the other two? ITS_Office is listed and correct in Diagnostics/Tables.

I restarted Suricata with no change.

I deleted ITSMailGuard from the Suricata_Trusted_Hosts alias, as it's no longer needed, and applied the alias. Without restarting Suricata, the View List button now shows the table without the ITSMailGuard subnets but still doesn't have the others.

I added the IP in ITS_Office to the Suricata_Trusted_Hosts alias directly and it still doesn't show in View List.

Suricata.log shows it adding IPs to the pass list, but does not mention the missing ones.

bmeeks

Just a wild guess, but perhaps the fix for this bug: https://redmine.pfsense.org/issues/12322 is playing a role here.

The only way to add mulitple IP addresses to a Pass List in Suricata (outside of those IP addresses selected by the included checkboxes for gateway, DNS, VIP, etc.) is to put all of the IP addresses into an alias. You can nest aliases, but you must be careful when doing so. When Suricata is "resolving" that alias into its constitutent IP addresses, the pfSense system calls can return empty strings for certain types of aliases. That could result in the entire alias being discarded by Suricata. The Suricata package depends on pfSense (via certain system API calls) to resolve aliases into IP addresses or subnets.

To troubleshoot this you need to just create a single alias and populate it with each nested alias and/or IP one at the time, and then test by clicking the View List button for the Pass List on the INTERFACES tab. The idea is to add back aliases and/or IP addresses one at the time until it breaks. Then you've found the problem.

SteveITS

@bmeeks Even going down to one IP in the alias, it does not show when I click View List. I tried 207.229.162.105, our office alias, and our office IP directly. I even restarted Suricata once.

Log:
18/10/2021 -- 16:31:08 - <Info> -- alert-pf -> Creating automatic firewall interface IP address Pass List.
18/10/2021 -- 16:31:08 - <Info> -- alert-pf -> adding firewall interface mvneta1 IPv6 address fe80:0000:0000:0000:0208:a2ff:fe0d:2cbc to automatic interface IP Pass List.
18/10/2021 -- 16:31:08 - <Info> -- alert-pf -> adding firewall interface mvneta1 IPv4 address 192.168.16.1 to automatic interface IP Pass List.
18/10/2021 -- 16:31:08 - <Info> -- alert-pf -> adding firewall interface mvneta2 IPv6 address fe80:0000:0000:0000:0208:a2ff:fe0d:2cbd to automatic interface IP Pass List.
18/10/2021 -- 16:31:08 - <Info> -- alert-pf -> adding firewall interface mvneta2 IPv4 address wan.ip.v.4 to automatic interface IP Pass List.
18/10/2021 -- 16:31:08 - <Info> -- alert-pf -> adding firewall interface lo0 IPv6 address 0000:0000:0000:0000:0000:0000:0000:0001 to automatic interface IP Pass List.
18/10/2021 -- 16:31:08 - <Info> -- alert-pf -> adding firewall interface lo0 IPv6 address fe80:0000:0000:0000:0000:0000:0000:0001 to automatic interface IP Pass List.
18/10/2021 -- 16:31:08 - <Info> -- alert-pf -> adding firewall interface lo0 IPv4 address 127.0.0.1 to automatic interface IP Pass List.
18/10/2021 -- 16:31:08 - <Info> -- alert-pf output device (regular) initialized: block.log
18/10/2021 -- 16:31:08 - <Info> -- alert-pf -> Added IPv4 address 127.0.0.1/32 from assigned Pass List.
18/10/2021 -- 16:31:08 - <Info> -- alert-pf -> Added IPv4 address 192.168.16.0/24 from assigned Pass List.
18/10/2021 -- 16:31:08 - <Info> -- alert-pf -> Added IPv4 address wan.gateway.v.4/32 from assigned Pass List.
18/10/2021 -- 16:31:08 - <Info> -- alert-pf -> Added IPv4 address wan.ip.v.4/32 from assigned Pass List.
18/10/2021 -- 16:31:08 - <Info> -- alert-pf -> Added IPv6 address ::1/128 from assigned Pass List.
18/10/2021 -- 16:31:08 - <Info> -- alert-pf -> Added IPv6 address fe80::208:a2ff:fe0d:2cbc/128 from assigned Pass List.
18/10/2021 -- 16:31:08 - <Info> -- alert-pf -> Added IPv6 address fe80::208:a2ff:fe0d:2cbd/128 from assigned Pass List.
18/10/2021 -- 16:31:08 - <Info> -- alert-pf -> Pass List /usr/local/etc/suricata/suricata_52857_mvneta1/passlist parsed: 7 IP addresses loaded.

/usr/local/etc/suricata/suricata_52857_mvneta1/passlist does contain only the ones shown:
127.0.0.1/32
192.168.16.0/24
wan.gateway.v.4/32
wan.ip.v.4/32
::1/128
fe80::208:a2ff:fe0d:2cbc/128
fe80::208:a2ff:fe0d:2cbd/128

I created alias SuricataTrustedHosts without the _, assigned it to the pass list, restarted Suricata, still not in the pass list table.

There is only one Suricata process running.

٩(͡๏̯͡๏)۶
(not at you, just confused)

SteveITS

@bmeeks If I change the alias to be type Network(s) and set OurIP/32, it immediately shows under View List. It was type Host(s).

Edit: pfSense lets me enter the ITS_Office alias there, but doesn't autocomplete it...it is autocompleting only the networks alias. Makes sense, just noting it. Have to enter IP/32 and have two places to change it.

Edit 2: Note the ITSMailGuard alias was type Network(s), which is consistent with that working.

SteveITS

I pulled up routers using 21.05 and 2.5.2 with Suricata 6.0.0_14 which has the Suricata_Trusted_Hosts alias set to Hosts(s) and working for IPs there.

SteveITS

I pulled up a 21.05 with Snort 4.1.4_3 and it is OK with IPs.

bmeeks

I suspect it is somehow related to the bugfix I linked, but I can't say with absolute certainty. I did not author that particular code fix. It was done by a Netgate staff developer. It's also possible, but not as likely, that something in pfSense 21.05.1 with respect to alias resolution changed.

SteveITS

@bmeeks said in Suricata pass list missing some IPs:

possible, but not as likely, that something in pfSense 21.05.1 with respect to alias resolution changed.

Using just one IP didn’t work so that’s not related to an alias.

I can try upgrading other Suricata installs maybe tonight or tomorrow night but it should be easy to replicate if someone can:

• create alias, type Host
• add one ip to alias
• apply alias change
  (- assign alias to pass list and restart Suricata)
• click View List

SteveITS

@bmeeks I duplicated the behavior this morning on our internal 2.5.2 router simply by upgrading pfSense-pkg-suricata from 6.0.0_14 to 6.0.3_3. Notably it omits DNS, gateway, etc. ... anything that is configured or detected as an IP and not a /32. Changing aliases one at a time from Host(s) to Network(s) adds each to the pass list.

https://redmine.pfsense.org/issues/12476

bmeeks

@steveits said in Suricata pass list missing some IPs:

@bmeeks I duplicated the behavior this morning on our internal 2.5.2 router simply by upgrading pfSense-pkg-suricata from 6.0.0_14 to 6.0.3_3. Notably it omits DNS, gateway, etc. ... anything that is configured or detected as an IP and not a /32. Changing aliases one at a time from Host(s) to Network(s) adds each to the pass list.

https://redmine.pfsense.org/issues/12476

I will take a look at this. I'm still guessing it is an unintended consequence of fixing an earlier bug where some aliases resulted in an empty array() variable getting written to the HOME_NET variable.

bmeeks

The Netgate developer team beat me fixing this bug. A pull request to address this problem has been posted here: https://github.com/pfsense/FreeBSD-ports/pull/1117. Look for the fix to get merged into the production package in the near future.

In the meantime, if you can read and understand GitHub diff files, you can make the simple edit yourself on your firewalls.

SteveITS

Thank you both. Seems good to me, changed the aliases back and the list looks like my original.

bmeeks

Great! The change should make it into a formal package update soon.

Thanks to @viktor_g for the quick fix. He knew right where to look. It would have taken me a bit longer to dig around in the function code and find the issue.