Suricata info rule kicked in and blocked all elastic outgoing
-
We just found that an emerging info rule kicked in which blocked all our outgoing elastic logs.
Wondering why these IPs gets blocked.Anyone had similar experience.
-
S stephenw10 moved this topic from General pfSense Questions on
-
The rule signature should be pretty specific; without a SID nobody can be very helpful.
However, I did notice that somebody at proofpoint added a half dozen rules yesterday that pinched something of mine too. Just due to vague time correlation, I'd say it might be related to this:
14FEB22 - Daily Update
I generally agree that free certificates are much more likely to be misused by bad actors than certificates that have a real cost associated with them. That doesn't necessarily make them suspicious right off the bat. Hence they're in the 'info' section and not legit threats/C2/knowncompromised sections.
As they're NEW rules, you probably need to disable them. :)
My guess is you were using Let's Encrypt for your encryption between nodes. :)--EDIT--
As you may experience trouble with the suppress button like me I'll post my manual edits to suppress list here for you to easymode it directly (hopefully I freestyled it right):#ET INFO rules added 14FEB2022 for Let's Encrypt Certificates suppress gen_id 1, sig_id 2035189 suppress gen_id 1, sig_id 2035190 suppress gen_id 1, sig_id 2035191 suppress gen_id 1, sig_id 2035192 suppress gen_id 1, sig_id 2035193Alternatively you could tweak the rules directly to NOT trigger on your own certs but still trigger on other people's certs. Obviously I can't do that one for you. :)
-
@skogs Hey mate, sorry for not giving you any meaningful information, but you guessed it right.
SID 2035190 was the one that caused issues to me. And yes, we were using lets encrypt for some of our stuff.
Thanks for the valuable info though.
I'm pretty beginner on firewalls. I have a senior admin who mostly look into such sort of things, but I'm trying to be as helpful as I can!