Suricata Blocking Google/Gmail
-
@steveits Hi Steve. I am using the Legacy mode. I am looking at the log from pfsense Alerts tab, I am not seeing a time matching when I try and refresh the browser search. The closest I have are these:
04/17/2022-01:37:25.296133 [] [1:2025275:4] ET INFO Windows OS Submitting USB Metadata to Microsoft [] [Classification: Misc activity] [Priority: 3] {TCP} 172.16.1.151:50983 -> 52.188.50.245:80
04/17/2022-01:41:09.123967 [] [1:2210042:2] SURICATA STREAM TIMEWAIT ACK with wrong seq [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 104.248.148.95:53736 -> 172.16.1.240:443 -
@overcon Which of those 172.16.1.x IPs is your PC? The second one looks like a connection inbound to a web server on your LAN...? 52.188.50.245 looks like a Microsoft IP.
Overall, if the IP of www.google.com isn't in the Blocks tab then it isn't currently blocked, and if it isn't in the Alerts tab log then it wasn't Suricata doing the blocking.
re: Stream, we disable ALL stream-events.rules for Suricata because it seems to trigger lots of false positives.
-
@steveits Neither of those IP's are my desktop. My IP is 172.16.1.24 and I am not seeing my IP in any of the Alerts. 172.16.1.240 is a webserver.
It is definitely something in Suricata (or something associated with something it is blocking), as everything was working until I enabled it. I was thinking it might be interfering with my Pihole DNS servers, but I don't see their IPs showing up either.
One odd thing is, I can ping google.com and I can check my email from Gmail using my mail client. But if I try and do a search with google.com or try and open Gmail using a browser it gets rejected. So maybe it isn't directly blocking Google, but it is impacting something that is causing issues with using it to search.
-
Here is everything it has dropped so far, I don't know if this would help. I did disable all the Stream-events.rules as you mentioned.
-
@steveits said in Suricata Blocking Google/Gmail:
stream-events.rules
I cleared all the blocks out and let it run to see if disabling the stream-events was the issue. I also noticed a lot of theseDNS queries in the Alerts, so I suppressed them (they were coming from the pi-hole servers). That is my pi-hole DNS server, so that could have been impacting web requests for google.com
04/16/2022-21:42:34.986693 [] [1:2027865:4] ET INFO Observed DNS Query to .cloud TLD [] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 172.16.1.7:57109 -> 95.100.175.66:53
-
Suricata blocks Google.com from time to time.... search doesnt work in Firefox or google.
Turn to google.ch and it works fine.
It fuc**ing annoying.
-
@cool_corona Are you saying this just happens at random? God, I hope not.
-
@overcon It does. It works when you release the blocks and after some time it stops working and there is no way to log whats happening since google has a gazilion ip's....
-
@cool_corona They do, but the LAN IP is in the Alerts tab along with the rule triggering it.
FWIW none of our clients have issues with google.com.
-
@steveits Yeah but its running in a loaded datacenter with a shitload of terminalservers accessing all kinds of sites.
You cant keep up and even if you witelist it, it blocks.