Correcting "FREAK Weak Export Suite From Client" Alerts



  • Hey all, I think I only have two more issues and only one for this sub-forum.  I really appreciate all the help so far. :)

    The majority of the alerts I'm getting from suricata now are "FREAK Weak Export Suite From Client".  Since I'm assuming that I'm the client, is that something that needs to be corrected on the pfsense box?  And if so, would that just be upgrading OpenSSL?



  • What IP addresses are associated with the alerts, and are you running Suricata on the WAN or LAN?  If on the WAN and using NAT, then the only "local" IP shown will be the firewall's WAN IP.  This is because Suricata (and Snort) see inbound traffic before the NAT rules, thus the "LAN-side" IP appears as the firewall's WAN address.  If you run the IDS on the LAN, then all the local IPs will be "correct" in that you will see them in the alerts pre-NAT.

    So taking into account the info above, is one of the IP addresses displaying on the ALERTS tab for the alerts in question actually your firewall or a LAN client?

    Bill



  • @bmeeks I currently have it running on the WAN.  I have to say that how all of these interfaces "sit" is still a point of confusion for me.  I pretty much get it when there's only one LAN/WAN but then when you throw in a WIFI interface and a VPN, it starts to get confusing as to how it's all setup.  Sorry for the tangent but I just want you to understand where I am in my education.

    In all my flipping back and forth between the firewall logs and Suricata, I never noticed that Suricata alerts never had the LAN IP as the source.  They are always the WAN IP.  So, firstly are you saying that I should be running Suricata on the LAN/WIFI/VPN interfaces instead of the WAN?  I'm guessing that way I can see where the actual FREAK vulnerable client lives?



  • Yes, in a NAT situation if you run the IDS on the WAN interface, all the local IPs will just show up as the WAN IP before the NAT happens.  If you run the IDS on the LAN, then the local IPs will be correct because the IDS is seeing them pre-NAT (outbound) and post-NAT (inbound).

    Because of this, many users will run the IDS on the LAN (and any other local interfaces) instead of WAN.  In most situations this does not impact overall protection.  This is what I do on my personal firewall.  I run Snort on the LAN and my DMZ interfaces.  Just for testing purposes I run a tiny handful of IPREP type rules on the WAN.

    Bill



  • @bmeeks thank you again.  I'm going to give this a shot and report back. :)



  • @bmeeks this is working great and I can see now where the vulnerable client is.  Thank you.