Suricata blocking IPs on passlist, legacy mode blocking both
-
@sgnoc said in Suricata blocking IPs on passlist, legacy mode blocking both:
I like running the bad reputation lists on my WAN.
OK. We put those in a pfBlocker feed or alias and just create a rule.
Iβll watch on ours, AFAIK no internal IPs blocked yet. But thanks for the heads up. Threads like these recent Suricata threads are helpful to know whatβs going on.
-
-
Suricata is running only on internal interfaces here and DST addresses on the pass list are getting blocked.
-
Is everyone using the Default pass list or a custom list? We're using a custom list with all the "Auto-Generated IP Addresses" boxes checked, and our "trusted" alias added.
-
@SteveITS Threads like these is why we waited with the suricata upgrade but unfortunately there were still bugs left. Still grateful for @bmeeks great work.
Keep an eye on your lan ip so it doesn't get randomly blocked (!) . IP's from both the default passlist and the IP Pass List can be blocked as it is now.We are using a custom passlist with all the "Auto-Generated IP Addresses" boxes checked and trusted alias added aswell.
-
@btspce What rule is blocking your internal IPs? I'm wondering if it's not something we have enabled.
Our LAN IP has actually shown up but not been blocked... I suppressed a "SURICATA SSH invalid banner" alert yesterday from an internal network scanner/probe IP and it didn't block either.
I'd upgraded Suricata and set it back to Auto the day before.
-
@SteveITS Our WAN VIP and our DNS internal IP were both found in suricatas block list and was very much blocked until removed.
Suricata works very well in that regard :) -
WAN VIP
[Block Dst] [] [1:2402000:6860] ET DROP Dshield Block Listed Source group 1 [] [Classification: Misc Attack] [Priority: 2] {TCP}
[Block Dst] [] [1:2402000:6860] ET DROP Dshield Block Listed Source group 1 [] [Classification: Misc Attack] [Priority: 2] {TCP}DNS
[Block Dst] [] [1:2035465:4] ET INFO Observed Discord Domain in DNS Lookup (discord .com) [] [Classification: Misc activity] [Priority: 3] {UDP} -
@btspce FWIW we don't have either of those enabled...DShield is covered by the ET_Block feed in pfBlocker (so plain fw rule) and "info" is usually meant as informational/observation per Bill and we'd seen a lot of false positives so we don't have those enabled. So, small possibility it's rule related but I would think not.
"when I enable pass list debugging, everything starts working as normal"
Knowing absolutely nothing about the code, maybe thread/timing related?
-
@SteveITS Well @bmeeks already found and fixed two bugs related to the passlist randomly not working higher up in this thread which was included in the latest suricata version as I understands it so another one seems likely at this point. I'm waiting for Bill to chime in but it's weird you don't see any issues yet.
Anyway suricata should not be blocking whitelisted ip's.
-
@SteveITS I'm using the default pass list on all of my interfaces.
-
@btspce and @sgnoc:
I need some additional information from both of you to help narrow this down.-
Post the full output of the
suricata.log
file for the impacted interface (or interfaces if several). You can easily view that file and copy its contents to the clipboard for pasting here on the forum under the LOGS VIEW tab in Suricata. To make reading the file easier, once you paste its contents into your post, highlight all the text you just pasted with your mouse and then click the "Code" icon at the top of the post submission dialog. That icon looks like this: </>. -
Use the DIAGNOSTICS > EDIT FILE menu choice in pfSense and browse to the configuration directory for an impacted Suricata interface and paste the full contents of the
pass_list
file back here. You will find the file under/usr/local/etc/suricata/suricata_xxx_yyyyy
on the firewall. Again, use the DIAGNOSTICS > EDIT FILE menu choice to browse to the file and open it. Paste the contents back here. To format the pasted text so it's easier to read, do the same thing as step #1 above: highlight all of the pasted in text and click the Code icon (</>) to format it. -
Are you using VLANs on the impacted interfaces? If so, how many?
Turn on the pass list debugging option as described in this post of mine higher up in this thread: https://forum.netgate.com/topic/184858/suricata-blocking-ips-on-passlist-legacy-mode-blocking-both/8.
I examined the Pass List logic pretty much all day yesterday, but I am not finding anything obviously wrong. Whatever is happening is subtle because not all users are impacted.
-
-
-
@bmeeks Hello Is there any other way I can send these files to you so we don't have to show our internal/external ip adresses for the whole world ?
-
@btspce said in Suricata blocking IPs on passlist, legacy mode blocking both:
@bmeeks Hello Is there any other way I can send these files to you so we don't have to show our internal/external ip adresses for the whole world ?
Yes, you can send them to my Gmail account. Here is first part of the address. The second part is of course
gmail.com
.billmeeks8
-
@bmeeks Email sent
-
@btspce said in Suricata blocking IPs on passlist, legacy mode blocking both:
@bmeeks Email sent
Confirmed receipt with a reply. Thank you for sending the data.
-
@bmeeks I'm trying to get this information for you. The trouble I seem to be having is it only happens when pass list debugging is off. When I turned on pass list debugging on the interface, the problem goes away, at least with one interface. I'm waiting to see if another interface with debugging on will alert, but it doesn't alert that often.
I'll continue to try and get you the above information as soon as possible.
-
@sgnoc said in Suricata blocking IPs on passlist, legacy mode blocking both:
@bmeeks I'm trying to get this information for you. The trouble I seem to be having is it only happens when pass list debugging is off. When I turned on pass list debugging on the interface, the problem goes away, at least with one interface. I'm waiting to see if another interface with debugging on will alert, but it doesn't alert that often.
I'll continue to try and get you the above information as soon as possible.
I will take it either way (with and/or without the pass list debugging). I'm really struggling to understand what relationship the pass list debugging option has, though. I have gone through the code multiple times trying to see if anything different happens relative to blocking with that enabled versus disabled, and I am not finding it.
-
@bmeeks Well, I finally got back to my network. I attempted to start from a fresh suricata install and have had nothing but trouble since. I completely uninstalled Suricata, and then did a fresh install. Now I'm right back to my WAN interface blocking my WAN IP again, like it did in a previous post of mine on this topic.
I've tried uninstalling and reinstalling, restarting the Suricata service, and also restarting the pfSense router. Nothing so far has resolved it. I've had to disable blocking on the WAN interface so I can keep my network going. I have never had this or other interface internal IP blocking issues previous to this major version of Suricata, so I'm stumped. I've collected as much as possible from the logs, but without having the pass list debugging enabled. In this case it is easy, the WAN IP was not put in the default pass list. The interface was up and operational when suricata was installed, and the WAN Gateway is in the list, just not the WAN IP. I have tried disabled blocking, restarting the interface, then enabled and restarting again, but the default pass IP list is not updating with the WAN IP.
I am using VLANs on the internal interfaces, but not the WAN interface. On the internal switch of the XG-7100, I'm using 8 VLANs (not using default VLAN 1), ix0 is the WAN (no VLAN) and ix1 is going to the downstream switches using 6 VLANS (not using default VLAN 1).
As a note of what I saw in the log, it appears for whatever reason the WAN IP was added and removed from the IP Pass List multiple times, with an ending result of being deleted, causing the IP to be blocked on the next alert.
I still have blocking enabled on on other interfaces to do testing, but I have to keep my WAN up, so I don't want to do too much testing unless it is specific with it.
Here is what I've collected.
*** EDIT *** I have to put this log in its own post, because if individual post length limitations
Default Pass List IPs:
10.10.5.0/24 10.10.5.101/32 10.10.6.0/24 10.10.7.0/24 10.10.8.0/24 10.10.9.0/24 10.10.10.0/24 10.10.11.0/24 10.10.15.0/24 10.10.25.0/24 10.10.31.0/29 10.10.32.0/29 10.10.33.0/29 10.10.34.0/29 10.10.35.0/29 10.10.36.0/29 10.10.37.0/29 10.10.45.0/24 10.10.55.0/24 10.10.60.0/29 <WAN Gateway>/32 fe80:6::/64 fe80:7::/64 fe80:8::/64 fe80:9::/64 fe80:10::/64
-
Suricata.log for WAN interface (replaced actual WAN IP and WAN Gateway with aliases):
[102572 - Suricata-Main] 2023-12-23 23:56:17 Notice: suricata: This is Suricata version 7.0.2 RELEASE running in SYSTEM mode [102572 - Suricata-Main] 2023-12-23 23:56:17 Info: cpu: CPUs/cores online: 4 [102572 - Suricata-Main] 2023-12-23 23:56:17 Info: suricata: Setting engine mode to IDS mode by default [102572 - Suricata-Main] 2023-12-23 23:56:18 Info: app-layer-htp-mem: HTTP memcap: 67108864 [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Creating automatic firewall interface IP address Pass List. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Adding firewall interface ix0 IPv6 address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d8 to automatic interface IP Pass List. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Adding firewall interface ix0 IPv4 address <WAN IP> to automatic interface IP Pass List. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Adding firewall interface ix1 IPv6 address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d9 to automatic interface IP Pass List. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Adding firewall interface lo0 IPv6 address 0000:0000:0000:0000:0000:0000:0000:0001 to automatic interface IP Pass List. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Adding firewall interface lo0 IPv6 address fe80:0000:0000:0000:0000:0000:0000:0001 to automatic interface IP Pass List. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Adding firewall interface lo0 IPv4 address 127.0.0.1 to automatic interface IP Pass List. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Adding firewall interface lagg0 IPv6 address fe80:0000:0000:0000:0208:a2ff:fe0e:f6da to automatic interface IP Pass List. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Adding firewall interface ix1.5 IPv6 address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d9 to automatic interface IP Pass List. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Adding firewall interface ix1.5 IPv4 address 10.10.5.1 to automatic interface IP Pass List. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Adding firewall interface ix1.15 IPv6 address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d9 to automatic interface IP Pass List. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Adding firewall interface ix1.15 IPv4 address 10.10.15.1 to automatic interface IP Pass List. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Adding firewall interface ix1.25 IPv6 address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d9 to automatic interface IP Pass List. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Adding firewall interface ix1.25 IPv4 address 10.10.25.1 to automatic interface IP Pass List. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Adding firewall interface ix1.45 IPv6 address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d9 to automatic interface IP Pass List. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Adding firewall interface ix1.45 IPv4 address 10.10.45.1 to automatic interface IP Pass List. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Adding firewall interface lagg0.31 IPv6 address fe80:0000:0000:0000:0208:a2ff:fe0e:f6da to automatic interface IP Pass List. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Adding firewall interface lagg0.31 IPv4 address 10.10.31.1 to automatic interface IP Pass List. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Adding firewall interface lagg0.32 IPv6 address fe80:0000:0000:0000:0208:a2ff:fe0e:f6da to automatic interface IP Pass List. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Adding firewall interface lagg0.32 IPv4 address 10.10.32.1 to automatic interface IP Pass List. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Adding firewall interface lagg0.33 IPv6 address fe80:0000:0000:0000:0208:a2ff:fe0e:f6da to automatic interface IP Pass List. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Adding firewall interface lagg0.33 IPv4 address 10.10.33.1 to automatic interface IP Pass List. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Adding firewall interface lagg0.34 IPv6 address fe80:0000:0000:0000:0208:a2ff:fe0e:f6da to automatic interface IP Pass List. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Adding firewall interface lagg0.34 IPv4 address 10.10.34.1 to automatic interface IP Pass List. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Adding firewall interface lagg0.35 IPv6 address fe80:0000:0000:0000:0208:a2ff:fe0e:f6da to automatic interface IP Pass List. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Adding firewall interface lagg0.35 IPv4 address 10.10.35.1 to automatic interface IP Pass List. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Adding firewall interface lagg0.36 IPv6 address fe80:0000:0000:0000:0208:a2ff:fe0e:f6da to automatic interface IP Pass List. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Adding firewall interface lagg0.36 IPv4 address 10.10.36.1 to automatic interface IP Pass List. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Adding firewall interface lagg0.37 IPv6 address fe80:0000:0000:0000:0208:a2ff:fe0e:f6da to automatic interface IP Pass List. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Adding firewall interface lagg0.37 IPv4 address 10.10.37.1 to automatic interface IP Pass List. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Adding firewall interface lagg0.38 IPv6 address fe80:0000:0000:0000:0208:a2ff:fe0e:f6da to automatic interface IP Pass List. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Adding firewall interface ix1.55 IPv6 address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d9 to automatic interface IP Pass List. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Adding firewall interface ix1.55 IPv4 address 10.10.55.1 to automatic interface IP Pass List. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Adding firewall interface ix1.60 IPv6 address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d9 to automatic interface IP Pass List. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Adding firewall interface ix1.60 IPv4 address 10.10.60.1 to automatic interface IP Pass List. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Adding firewall interface ovpns1 IPv6 address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d8 to automatic interface IP Pass List. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Adding firewall interface ovpns1 IPv4 address 10.10.6.1 to automatic interface IP Pass List. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Adding firewall interface ovpns1 IPv6 address fe80:0000:0000:0000:0000:0000:0000:0001 to automatic interface IP Pass List. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Adding firewall interface ovpns2 IPv6 address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d8 to automatic interface IP Pass List. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Adding firewall interface ovpns2 IPv4 address 10.10.7.1 to automatic interface IP Pass List. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Adding firewall interface ovpns2 IPv6 address fe80:0000:0000:0000:0000:0000:0000:0001 to automatic interface IP Pass List. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Adding firewall interface ovpns3 IPv6 address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d8 to automatic interface IP Pass List. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Adding firewall interface ovpns3 IPv4 address 10.10.8.1 to automatic interface IP Pass List. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Adding firewall interface ovpns3 IPv6 address fe80:0000:0000:0000:0000:0000:0000:0001 to automatic interface IP Pass List. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Adding firewall interface ovpns4 IPv6 address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d8 to automatic interface IP Pass List. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Adding firewall interface ovpns4 IPv4 address 10.10.9.1 to automatic interface IP Pass List. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Adding firewall interface ovpns4 IPv6 address fe80:0000:0000:0000:0000:0000:0000:0001 to automatic interface IP Pass List. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Adding firewall interface ovpns5 IPv6 address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d8 to automatic interface IP Pass List. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Adding firewall interface ovpns5 IPv4 address 10.10.10.1 to automatic interface IP Pass List. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Adding firewall interface ovpns5 IPv6 address fe80:0000:0000:0000:0000:0000:0000:0001 to automatic interface IP Pass List. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Adding firewall interface tun_wg0 IPv4 address 10.10.11.1 to automatic interface IP Pass List. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: logopenfile: alert-pf output device (regular) initialized: block.log [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Loading and parsing Pass List from: /usr/local/etc/suricata/suricata_57861_ix0/passlist. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Pass List /usr/local/etc/suricata/suricata_57861_ix0/passlist processed: Total entries parsed: 26, IP addresses/netblocks/aliases added to No Block list: 26, IP addresses/netblocks ignored because they were covered by existing entries: 0. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: pfSense Suricata Custom Blocking Module initialized: pf-table=snort2c block-ip=both kill-state=yes block-drops-only=yes passlist-debugging=no [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: alert-pf: Created Interface IP Address change monitoring thread for auto-whitelisting of firewall interface IP addresses. [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: logopenfile: fast output device (regular) initialized: alerts.log [102298 - Suricata-Main] 2023-12-23 23:56:18 Info: logopenfile: http-log output device (regular) initialized: http.log [120645 - Suricata-IM#01] 2023-12-23 23:56:18 Info: alert-pf: Firewall Interface IP Address Change Monitor Thread IM#01 has successfully started. [102298 - Suricata-Main] 2023-12-23 23:56:26 Error: detect-tls-ja3-hash: ja3 support is not enabled [102298 - Suricata-Main] 2023-12-23 23:56:26 Error: detect: error parsing signature "alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Suspected Cobalt Strike Malleable C2 M1 (set)"; flow:established,to_server; ja3.hash; content:"eb88d0b3e1961a0562f006e5ce2a0b87"; ja3.string; content:"771,49192-49191-49172-49171"; flowbits:set,ET.cobaltstrike.ja3; flowbits:noalert; classtype:command-and-control; sid:2028831; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_15, deployment Perimeter, former_category JA3, malware_family Cobalt_Strike, confidence Low, signature_severity Major, updated_at 2019_10_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 7933 [102298 - Suricata-Main] 2023-12-23 23:56:26 Error: detect-tls-ja3s-hash: ja3(s) support is not enabled [102298 - Suricata-Main] 2023-12-23 23:56:26 Error: detect: error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)"; flow:established,to_client; flowbits:isset,ETPRO.asyncrat.flowbit; ja3s.hash; content:"b74704234e6128f33bff9865696e31b3"; fast_pattern; reference:url,github.com/NYAN-x-CAT/AsyncRAT-C-Sharp; classtype:command-and-control; sid:2842478; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_08, deployment Perimeter, former_category JA3, performance_impact Low, confidence Low, signature_severity Major, updated_at 2020_05_08;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 8028 [102298 - Suricata-Main] 2023-12-23 23:56:49 Error: detect-parse: no terminating ";" found [102298 - Suricata-Main] 2023-12-23 23:56:49 Error: detect: error parsing signature "drop tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/DarkVision RAT CnC Checkin M2"; flow:established,to_server; dsize:4; content:"|7c 02 00 00|" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 32725 [102298 - Suricata-Main] 2023-12-23 23:56:49 Info: detect: 2 rule files processed. 32727 rules successfully loaded, 117 rules failed [102298 - Suricata-Main] 2023-12-23 23:56:49 Info: threshold-config: Threshold config parsed: 0 rule(s) found [102298 - Suricata-Main] 2023-12-23 23:56:49 Info: detect: 32727 signatures processed. 199 are IP-only rules, 7465 are inspecting packet payload, 24937 inspect application layer, 106 are decoder event only [102298 - Suricata-Main] 2023-12-23 23:56:49 Warning: detect-flowbits: flowbit 'ET.http.rtf.download' is checked but not set. Checked in 2815709 and 10 other sigs [102298 - Suricata-Main] 2023-12-23 23:56:49 Warning: detect-flowbits: flowbit 'ETPRO.RTF' is checked but not set. Checked in 2020700 and 8 other sigs [102298 - Suricata-Main] 2023-12-23 23:56:49 Warning: detect-flowbits: flowbit 'ET.Multimedia.Download' is checked but not set. Checked in 2827897 and 0 other sigs [102298 - Suricata-Main] 2023-12-23 23:56:49 Warning: detect-flowbits: flowbit 'ET.MP4.Download' is checked but not set. Checked in 2827898 and 0 other sigs [102298 - Suricata-Main] 2023-12-23 23:56:49 Warning: detect-flowbits: flowbit 'OLE.CompoundFile' is checked but not set. Checked in 2815527 and 0 other sigs [102298 - Suricata-Main] 2023-12-23 23:56:49 Warning: detect-flowbits: flowbit 'ETPRO.wget.UA' is checked but not set. Checked in 2820973 and 0 other sigs [102298 - Suricata-Main] 2023-12-23 23:56:49 Warning: detect-flowbits: flowbit 'ET.BonitaDefaultCreds' is checked but not set. Checked in 2036817 and 0 other sigs [102298 - Suricata-Main] 2023-12-23 23:56:49 Warning: detect-flowbits: flowbit 'ET.Keitaro1' is checked but not set. Checked in 2831446 and 2 other sigs [102298 - Suricata-Main] 2023-12-23 23:56:49 Warning: detect-flowbits: flowbit 'ET.PROPFIND' is checked but not set. Checked in 2049438 and 0 other sigs [102298 - Suricata-Main] 2023-12-23 23:56:49 Warning: detect-flowbits: flowbit 'ET.raiffeisenapk' is checked but not set. Checked in 2828074 and 0 other sigs [102298 - Suricata-Main] 2023-12-23 23:56:49 Warning: detect-flowbits: flowbit 'ETPRO.w32unknown' is checked but not set. Checked in 2816366 and 0 other sigs [102298 - Suricata-Main] 2023-12-23 23:56:49 Warning: detect-flowbits: flowbit 'ET.genericphish' is checked but not set. Checked in 2850094 and 0 other sigs [102298 - Suricata-Main] 2023-12-23 23:56:49 Warning: detect-flowbits: flowbit 'ET.kumquat' is checked but not set. Checked in 2044067 and 1 other sigs [102298 - Suricata-Main] 2023-12-23 23:56:49 Warning: detect-flowbits: flowbit 'ET.gadu.loginsent' is checked but not set. Checked in 2008299 and 0 other sigs [102298 - Suricata-Main] 2023-12-23 23:56:49 Warning: detect-flowbits: flowbit 'file.onenote' is checked but not set. Checked in 61666 and 1 other sigs [102298 - Suricata-Main] 2023-12-23 23:58:18 Info: runmodes: Using 1 live device(s). [120661 - RX#01-ix0] 2023-12-23 23:58:19 Info: pcap: ix0: running in 'auto' checksum mode. Detection of interface state will require 1000 packets [120661 - RX#01-ix0] 2023-12-23 23:58:19 Info: pcap: ix0: snaplen set to 1518 [102298 - Suricata-Main] 2023-12-23 23:58:19 Notice: threads: Threads created -> RX: 1 W: 4 FM: 1 FR: 1 Engine started. [120645 - Suricata-IM#01] 2023-12-23 23:58:19 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ix0. [120645 - Suricata-IM#01] 2023-12-23 23:58:19 Info: alert-pf: Deleted address <WAN IP> from automatic firewall interface IP Pass List. [120645 - Suricata-IM#01] 2023-12-23 23:58:19 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ix0. [120645 - Suricata-IM#01] 2023-12-23 23:58:19 Info: alert-pf: Added address <WAN IP> to automatic firewall interface IP Pass List. [120661 - RX#01-ix0] 2023-12-23 23:58:20 Info: checksum: No packets with invalid checksum, assuming checksum offloading is NOT used [120645 - Suricata-IM#01] 2023-12-23 23:58:21 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ix0. [120645 - Suricata-IM#01] 2023-12-23 23:58:21 Info: alert-pf: Deleted address <WAN IP> from automatic firewall interface IP Pass List. [120645 - Suricata-IM#01] 2023-12-23 23:58:22 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ix0. [120645 - Suricata-IM#01] 2023-12-23 23:58:22 Info: alert-pf: Added address <WAN IP> to automatic firewall interface IP Pass List. [120645 - Suricata-IM#01] 2023-12-23 23:58:24 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ix0. [120645 - Suricata-IM#01] 2023-12-23 23:58:24 Info: alert-pf: Deleted address <WAN IP> from automatic firewall interface IP Pass List. [120645 - Suricata-IM#01] 2023-12-23 23:58:24 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ix0. [120645 - Suricata-IM#01] 2023-12-23 23:58:24 Info: alert-pf: Added address <WAN IP> to automatic firewall interface IP Pass List. [120645 - Suricata-IM#01] 2023-12-23 23:58:50 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns1. [120645 - Suricata-IM#01] 2023-12-23 23:58:50 Info: alert-pf: Deleted address 10.10.6.1 from automatic firewall interface IP Pass List. [120645 - Suricata-IM#01] 2023-12-23 23:58:50 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns1. [120645 - Suricata-IM#01] 2023-12-23 23:58:50 Info: alert-pf: Deleted address fe80:0000:0000:0000:0000:0000:0000:0001 from automatic firewall interface IP Pass List. [120645 - Suricata-IM#01] 2023-12-23 23:58:50 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns1. [120645 - Suricata-IM#01] 2023-12-23 23:58:50 Info: alert-pf: Deleted address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d8 from automatic firewall interface IP Pass List. [120645 - Suricata-IM#01] 2023-12-23 23:58:50 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns1. [120645 - Suricata-IM#01] 2023-12-23 23:58:50 Info: alert-pf: Added address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d8 to automatic firewall interface IP Pass List. [120645 - Suricata-IM#01] 2023-12-23 23:58:50 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns1. [120645 - Suricata-IM#01] 2023-12-23 23:58:50 Info: alert-pf: Added address 10.10.6.1 to automatic firewall interface IP Pass List. [120645 - Suricata-IM#01] 2023-12-23 23:58:50 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns1. [120645 - Suricata-IM#01] 2023-12-23 23:58:50 Info: alert-pf: Added address fe80:0000:0000:0000:0000:0000:0000:0001 to automatic firewall interface IP Pass List. [120645 - Suricata-IM#01] 2023-12-23 23:58:50 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns2. [120645 - Suricata-IM#01] 2023-12-23 23:58:50 Info: alert-pf: Deleted address 10.10.7.1 from automatic firewall interface IP Pass List. [120645 - Suricata-IM#01] 2023-12-23 23:58:50 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns2. [120645 - Suricata-IM#01] 2023-12-23 23:58:50 Info: alert-pf: Deleted address fe80:0000:0000:0000:0000:0000:0000:0001 from automatic firewall interface IP Pass List. [120645 - Suricata-IM#01] 2023-12-23 23:58:50 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns2. [120645 - Suricata-IM#01] 2023-12-23 23:58:50 Info: alert-pf: Deleted address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d8 from automatic firewall interface IP Pass List. [120645 - Suricata-IM#01] 2023-12-23 23:58:51 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns2. [120645 - Suricata-IM#01] 2023-12-23 23:58:51 Info: alert-pf: Added address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d8 to automatic firewall interface IP Pass List. [120645 - Suricata-IM#01] 2023-12-23 23:58:51 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns2. [120645 - Suricata-IM#01] 2023-12-23 23:58:51 Info: alert-pf: Added address 10.10.7.1 to automatic firewall interface IP Pass List. [120645 - Suricata-IM#01] 2023-12-23 23:58:51 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns2. [120645 - Suricata-IM#01] 2023-12-23 23:58:51 Info: alert-pf: Added address fe80:0000:0000:0000:0000:0000:0000:0001 to automatic firewall interface IP Pass List. [120645 - Suricata-IM#01] 2023-12-23 23:58:51 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns4. [120645 - Suricata-IM#01] 2023-12-23 23:58:51 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns4. [120645 - Suricata-IM#01] 2023-12-23 23:58:51 Info: alert-pf: Deleted address fe80:0000:0000:0000:0000:0000:0000:0001 from automatic firewall interface IP Pass List. [120645 - Suricata-IM#01] 2023-12-23 23:58:51 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns4. [120645 - Suricata-IM#01] 2023-12-23 23:58:51 Info: alert-pf: Deleted address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d8 from automatic firewall interface IP Pass List. [120645 - Suricata-IM#01] 2023-12-23 23:58:51 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns4. [120645 - Suricata-IM#01] 2023-12-23 23:58:51 Info: alert-pf: Added address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d8 to automatic firewall interface IP Pass List. [120645 - Suricata-IM#01] 2023-12-23 23:58:51 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns4. [120645 - Suricata-IM#01] 2023-12-23 23:58:51 Info: alert-pf: Added address 10.10.9.1 to automatic firewall interface IP Pass List. [120645 - Suricata-IM#01] 2023-12-23 23:58:51 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns4. [120645 - Suricata-IM#01] 2023-12-23 23:58:51 Info: alert-pf: Added address fe80:0000:0000:0000:0000:0000:0000:0001 to automatic firewall interface IP Pass List. [120645 - Suricata-IM#01] 2023-12-23 23:58:51 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns5. [120645 - Suricata-IM#01] 2023-12-23 23:58:51 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns5. [120645 - Suricata-IM#01] 2023-12-23 23:58:51 Info: alert-pf: Deleted address fe80:0000:0000:0000:0000:0000:0000:0001 from automatic firewall interface IP Pass List. [120645 - Suricata-IM#01] 2023-12-23 23:58:51 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns5. [120645 - Suricata-IM#01] 2023-12-23 23:58:51 Info: alert-pf: Deleted address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d8 from automatic firewall interface IP Pass List. [120645 - Suricata-IM#01] 2023-12-23 23:58:52 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns5. [120645 - Suricata-IM#01] 2023-12-23 23:58:52 Info: alert-pf: Added address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d8 to automatic firewall interface IP Pass List. [120645 - Suricata-IM#01] 2023-12-23 23:58:52 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns5. [120645 - Suricata-IM#01] 2023-12-23 23:58:52 Info: alert-pf: Added address 10.10.10.1 to automatic firewall interface IP Pass List. [120645 - Suricata-IM#01] 2023-12-23 23:58:52 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns5. [120645 - Suricata-IM#01] 2023-12-23 23:58:52 Info: alert-pf: Added address fe80:0000:0000:0000:0000:0000:0000:0001 to automatic firewall interface IP Pass List. [120645 - Suricata-IM#01] 2023-12-23 23:58:53 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns1. [120645 - Suricata-IM#01] 2023-12-23 23:58:53 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns1. [120645 - Suricata-IM#01] 2023-12-23 23:58:53 Info: alert-pf: Deleted address fe80:0000:0000:0000:0000:0000:0000:0001 from automatic firewall interface IP Pass List. [120645 - Suricata-IM#01] 2023-12-23 23:58:53 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns1. [120645 - Suricata-IM#01] 2023-12-23 23:58:53 Info: alert-pf: Deleted address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d8 from automatic firewall interface IP Pass List. [120645 - Suricata-IM#01] 2023-12-23 23:58:53 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns1. [120645 - Suricata-IM#01] 2023-12-23 23:58:53 Info: alert-pf: Added address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d8 to automatic firewall interface IP Pass List. [120645 - Suricata-IM#01] 2023-12-23 23:58:53 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns1. [120645 - Suricata-IM#01] 2023-12-23 23:58:53 Info: alert-pf: Added address 10.10.6.1 to automatic firewall interface IP Pass List. [120645 - Suricata-IM#01] 2023-12-23 23:58:53 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns1. [120645 - Suricata-IM#01] 2023-12-23 23:58:53 Info: alert-pf: Added address fe80:0000:0000:0000:0000:0000:0000:0001 to automatic firewall interface IP Pass List. [120645 - Suricata-IM#01] 2023-12-23 23:58:53 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns2. [120645 - Suricata-IM#01] 2023-12-23 23:58:53 Info: alert-pf: Deleted address 10.10.7.1 from automatic firewall interface IP Pass List. [120645 - Suricata-IM#01] 2023-12-23 23:58:53 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns2. [120645 - Suricata-IM#01] 2023-12-23 23:58:53 Info: alert-pf: Deleted address fe80:0000:0000:0000:0000:0000:0000:0001 from automatic firewall interface IP Pass List. [120645 - Suricata-IM#01] 2023-12-23 23:58:53 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns2. [120645 - Suricata-IM#01] 2023-12-23 23:58:53 Info: alert-pf: Deleted address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d8 from automatic firewall interface IP Pass List. [120645 - Suricata-IM#01] 2023-12-23 23:58:53 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns2. [120645 - Suricata-IM#01] 2023-12-23 23:58:53 Info: alert-pf: Added address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d8 to automatic firewall interface IP Pass List. [120645 - Suricata-IM#01] 2023-12-23 23:58:53 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns2. [120645 - Suricata-IM#01] 2023-12-23 23:58:53 Info: alert-pf: Added address 10.10.7.1 to automatic firewall interface IP Pass List. [120645 - Suricata-IM#01] 2023-12-23 23:58:53 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns2. [120645 - Suricata-IM#01] 2023-12-23 23:58:53 Info: alert-pf: Added address fe80:0000:0000:0000:0000:0000:0000:0001 to automatic firewall interface IP Pass List. [120645 - Suricata-IM#01] 2023-12-23 23:58:54 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns4. [120645 - Suricata-IM#01] 2023-12-23 23:58:54 Info: alert-pf: Deleted address 10.10.9.1 from automatic firewall interface IP Pass List. [120645 - Suricata-IM#01] 2023-12-23 23:58:54 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns4. [120645 - Suricata-IM#01] 2023-12-23 23:58:54 Info: alert-pf: Deleted address fe80:0000:0000:0000:0000:0000:0000:0001 from automatic firewall interface IP Pass List. [120645 - Suricata-IM#01] 2023-12-23 23:58:54 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns4. [120645 - Suricata-IM#01] 2023-12-23 23:58:54 Info: alert-pf: Deleted address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d8 from automatic firewall interface IP Pass List. [120645 - Suricata-IM#01] 2023-12-23 23:58:54 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns4. [120645 - Suricata-IM#01] 2023-12-23 23:58:54 Info: alert-pf: Added address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d8 to automatic firewall interface IP Pass List. [120645 - Suricata-IM#01] 2023-12-23 23:58:54 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns4. [120645 - Suricata-IM#01] 2023-12-23 23:58:54 Info: alert-pf: Added address 10.10.9.1 to automatic firewall interface IP Pass List. [120645 - Suricata-IM#01] 2023-12-23 23:58:54 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns4. [120645 - Suricata-IM#01] 2023-12-23 23:58:54 Info: alert-pf: Added address fe80:0000:0000:0000:0000:0000:0000:0001 to automatic firewall interface IP Pass List. [120645 - Suricata-IM#01] 2023-12-23 23:58:54 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns5. [120645 - Suricata-IM#01] 2023-12-23 23:58:54 Info: alert-pf: Deleted address 10.10.10.1 from automatic firewall interface IP Pass List. [120645 - Suricata-IM#01] 2023-12-23 23:58:54 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns5. [120645 - Suricata-IM#01] 2023-12-23 23:58:54 Info: alert-pf: Deleted address fe80:0000:0000:0000:0000:0000:0000:0001 from automatic firewall interface IP Pass List. [120645 - Suricata-IM#01] 2023-12-23 23:58:54 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns5. [120645 - Suricata-IM#01] 2023-12-23 23:58:54 Info: alert-pf: Deleted address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d8 from automatic firewall interface IP Pass List. [120645 - Suricata-IM#01] 2023-12-23 23:58:55 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns5. [120645 - Suricata-IM#01] 2023-12-23 23:58:55 Info: alert-pf: Added address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d8 to automatic firewall interface IP Pass List. [120645 - Suricata-IM#01] 2023-12-23 23:58:55 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns5. [120645 - Suricata-IM#01] 2023-12-23 23:58:55 Info: alert-pf: Added address 10.10.10.1 to automatic firewall interface IP Pass List. [120645 - Suricata-IM#01] 2023-12-23 23:58:55 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns5. [120645 - Suricata-IM#01] 2023-12-23 23:58:55 Info: alert-pf: Added address fe80:0000:0000:0000:0000:0000:0000:0001 to automatic firewall interface IP Pass List.
-
New information. I just got a block on a lagg from the XG-7100 internal switch. It blocked an internal 10.10.33.2 IP from the lag0.33 subnet 10.10.33.0/29. I'm just getting debugging enabled and restarting interfaces, but this his before I was able.
Default Pass List IPs:
10.10.5.0/24 10.10.5.101/32 10.10.6.0/24 10.10.7.0/24 10.10.8.0/24 10.10.9.0/24 10.10.10.0/24 10.10.11.0/24 10.10.15.0/24 10.10.25.0/24 10.10.31.0/29 10.10.32.0/29 10.10.33.0/29 10.10.34.0/29 10.10.35.0/29 10.10.36.0/29 10.10.37.0/29 10.10.45.0/24 10.10.55.0/24 10.10.60.0/29 <WAN Gateway>/32 fe80:6::/64 fe80:7::/64 fe80:8::/64 fe80:9::/64 fe80:10::/64
Block Log:
12/24/2023-19:05:34.343962 [wDrop] [**] [1:2032981:2] ET SCAN Bing Webcrawler User-Agent (BingBot) [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 172.70.175.165:55592 -> 10.10.33.2:80
Suricata.log (too large to post without uploading a file):
Suricata_lagg0.33.Block.txt