Suricata Blocking Google/Gmail

Overcon

Hi All,

I could use some help. I just enabled Suricata on my pFsense box after running it on just logging and trying to figure out and exclude false positives. But now that I have it actually blocking stuff, one of the things it is blocking and I can't find out what rule is Google.

So when I try and do a search in my browsers which have Google as the search engine, I just get:

Unable to connect

An error occurred during a connection to www.google.com.

The site could be temporarily unavailable or too busy. Try again in a few moments.
If you are unable to load any pages, check your computer’s network connection.
If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.

I am new to this and not sure how to find the rule blocking this traffic. Could anyone help me find which rule so I can disable it?

Thanks!

SteveITS

@overcon Look on the Alerts tab for alerts from your LAN IP at the time you are trying to connect to that site. Are you using Legacy or Inline mode?

Overcon

@steveits Hi Steve. I am using the Legacy mode. I am looking at the log from pfsense Alerts tab, I am not seeing a time matching when I try and refresh the browser search. The closest I have are these:

04/17/2022-01:37:25.296133 [] [1:2025275:4] ET INFO Windows OS Submitting USB Metadata to Microsoft [] [Classification: Misc activity] [Priority: 3] {TCP} 172.16.1.151:50983 -> 52.188.50.245:80
04/17/2022-01:41:09.123967 [] [1:2210042:2] SURICATA STREAM TIMEWAIT ACK with wrong seq [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 104.248.148.95:53736 -> 172.16.1.240:443

SteveITS

@overcon Which of those 172.16.1.x IPs is your PC? The second one looks like a connection inbound to a web server on your LAN...? 52.188.50.245 looks like a Microsoft IP.

Overall, if the IP of www.google.com isn't in the Blocks tab then it isn't currently blocked, and if it isn't in the Alerts tab log then it wasn't Suricata doing the blocking.

re: Stream, we disable ALL stream-events.rules for Suricata because it seems to trigger lots of false positives.

Overcon

@steveits Neither of those IP's are my desktop. My IP is 172.16.1.24 and I am not seeing my IP in any of the Alerts. 172.16.1.240 is a webserver.

It is definitely something in Suricata (or something associated with something it is blocking), as everything was working until I enabled it. I was thinking it might be interfering with my Pihole DNS servers, but I don't see their IPs showing up either.

One odd thing is, I can ping google.com and I can check my email from Gmail using my mail client. But if I try and do a search with google.com or try and open Gmail using a browser it gets rejected. So maybe it isn't directly blocking Google, but it is impacting something that is causing issues with using it to search.

Overcon

Here is everything it has dropped so far, I don't know if this would help. I did disable all the Stream-events.rules as you mentioned.

Screenshot 2022-04-16 042630.png

Overcon

@steveits said in Suricata Blocking Google/Gmail:

stream-events.rules

I cleared all the blocks out and let it run to see if disabling the stream-events was the issue. I also noticed a lot of theseDNS queries in the Alerts, so I suppressed them (they were coming from the pi-hole servers). That is my pi-hole DNS server, so that could have been impacting web requests for google.com

04/16/2022-21:42:34.986693 [] [1:2027865:4] ET INFO Observed DNS Query to .cloud TLD [] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 172.16.1.7:57109 -> 95.100.175.66:53

Cool_Corona

Suricata blocks Google.com from time to time.... search doesnt work in Firefox or google.

Turn to google.ch and it works fine.

It fuc**ing annoying.

Overcon

@cool_corona Are you saying this just happens at random? God, I hope not.

Cool_Corona

@overcon It does. It works when you release the blocks and after some time it stops working and there is no way to log whats happening since google has a gazilion ip's....

SteveITS

@cool_corona They do, but the LAN IP is in the Alerts tab along with the rule triggering it.

FWIW none of our clients have issues with google.com.

Cool_Corona

@steveits Yeah but its running in a loaded datacenter with a shitload of terminalservers accessing all kinds of sites.

You cant keep up and even if you witelist it, it blocks.