PfSense-pkg-suricata-3.0_7 – Release Notes


  • This update for the Suricata GUI package addresses the following reported bugs.

    Bug Fixes

    1. Typo in list name parameter results in an inability to see and select custom IP lists for the HOME_NET or EXTERNAL_NET settings on the INTERFACE SETTINGS tab.
    2. Dashboard Suricata Alerts widget not always properly restored following a package reinstall.
    3. An extra text file is leftover in the rules directory following removal of the package.

    Bill


  • Hi Bill,
    I diable block offenders ( inline mode ), I can't start suricata.

    suricata.log

    27/4/2016 -- 08:24:13 - <notice>-- This is Suricata version 3.0 RELEASE
    27/4/2016 -- 08:24:13 - <info>-- CPUs/cores online: 4
    27/4/2016 -- 08:24:13 - <error>-- [ERRCODE: SC_ERR_INITIALIZATION(45)] - No interface found in config for netmap</error></info></notice> 
    

    Thanks!


  • Is the section titled "Networks Suricata Should Inspect and Protect" working for anyone?

    Since moving to 3.X it seems not to be working as before.

    Initially I could not add addtional IPs to HOMENET, but it was fixed in this issue.  Now i can assign additionaly IPs to HOMENET that should not be blocked visually.
    But when I look at suricata.log I see all default IPs being added to firewall passlist but from the "default" in the dropdown, but not from the custom list i selected in the dropdown.


  • @pfsenseboonie:

    Is the section titled "Networks Suricata Should Inspect and Protect" working for anyone?

    Since moving to 3.X it seems not to be working as before.

    Initially I could not add addtional IPs to HOMENET, but it was fixed in this issue.  Now i can assign additionaly IPs to HOMENET that should not be blocked visually.
    But when I look at suricata.log I see all default IPs being added to firewall passlist but from the "default" in the dropdown, but not from the custom list i selected in the dropdown.

    HOME_NET and Pass Lists are not the same thing in operation.  True that in the GUI you have to create a Pass List and assign it to the Home Net drop-down in order to use a custom HOME_NET, but that is just an artificial construct.  A Pass List is really just a collection of IP addresses.  HOME_NET is a variable used in many rules.  A pass list is never part of a rule.  What you are seeing in the suricata.log is a default action added to Suricata a while back that automatically grabs all of the interface IP addresses on the firewall itself and adds them to an internal and private Pass List to make sure they do not ever get blocked in legacy mode.

    The actual contents of the HOME_NET variable is not logged in the suricata.log file.

    Bill


  • @ntct:

    Hi Bill,
    I diable block offenders ( inline mode ), I can't start suricata.

    suricata.log

    27/4/2016 -- 08:24:13 - <notice>-- This is Suricata version 3.0 RELEASE
    27/4/2016 -- 08:24:13 - <info>-- CPUs/cores online: 4
    27/4/2016 -- 08:24:13 - <error>-- [ERRCODE: SC_ERR_INITIALIZATION(45)] - No interface found in config for netmap</error></info></notice> 
    

    Thanks!

    Please post a copy of the suricata.yaml file (or its contents) for the affected interface.

    Never mind about posting your conf file.  I made a dumb mistake and forgot to change the shell script parameters.  Here is a workaround while I get a fix together and thoroughly test it this time …  :-[.

    Go to the INTERFACE SETTINGS tab.  Enable "[i]Block Offenders" and choose Legacy Mode.  Save the change.  Now disable "Block Offenders" and save the change.  That will create a startup script that is formatted without the Netmap option.  The issue is the command line parameters for the Suricata binary are different for Netmap enabled versus Netmap disabled, and I forgot to account for that in my quick fix for another issue.

    Thanks,
    Bill


  • @bmeeks:

    @pfsenseboonie:

    Is the section titled "Networks Suricata Should Inspect and Protect" working for anyone?

    Since moving to 3.X it seems not to be working as before.

    Initially I could not add addtional IPs to HOMENET, but it was fixed in this issue.  Now i can assign additionaly IPs to HOMENET that should not be blocked visually.
    But when I look at suricata.log I see all default IPs being added to firewall passlist but from the "default" in the dropdown, but not from the custom list i selected in the dropdown.

    HOME_NET and Pass Lists are not the same thing in operation.  True that in the GUI you have to create a Pass List and assign it to the Home Net drop-down in order to use a custom HOME_NET, but that is just an artificial construct.  A Pass List is really just a collection of IP addresses.  HOME_NET is a variable used in many rules.  A pass list is never part of a rule.  What you are seeing in the suricata.log is a default action added to Suricata a while back that automatically grabs all of the interface IP addresses on the firewall itself and adds them to an internal and private Pass List to make sure they do not ever get blocked in legacy mode.

    The actual contents of the HOME_NET variable is not logged in the suricata.log file.

    Bill

    Ok
    I Have a VPN which hands out some openvpn routed IPs.  The firewall/suricata cannot see this IP so i created a list under past list called home_net and added it from the drop down to HOMENET field

    I have a mailserver that i want never to be blocked. Its external.
    I created a second passlist and assigned it from drop down to the passlist field

    Is this the correct way to do it?


  • @pfsenseboonie:

    @bmeeks:

    @pfsenseboonie:

    Is the section titled "Networks Suricata Should Inspect and Protect" working for anyone?

    Since moving to 3.X it seems not to be working as before.

    Initially I could not add addtional IPs to HOMENET, but it was fixed in this issue.  Now i can assign additionaly IPs to HOMENET that should not be blocked visually.
    But when I look at suricata.log I see all default IPs being added to firewall passlist but from the "default" in the dropdown, but not from the custom list i selected in the dropdown.

    HOME_NET and Pass Lists are not the same thing in operation.  True that in the GUI you have to create a Pass List and assign it to the Home Net drop-down in order to use a custom HOME_NET, but that is just an artificial construct.  A Pass List is really just a collection of IP addresses.  HOME_NET is a variable used in many rules.  A pass list is never part of a rule.  What you are seeing in the suricata.log is a default action added to Suricata a while back that automatically grabs all of the interface IP addresses on the firewall itself and adds them to an internal and private Pass List to make sure they do not ever get blocked in legacy mode.

    The actual contents of the HOME_NET variable is not logged in the suricata.log file.

    Bill

    Ok
    I Have a VPN which hands out some openvpn routed IPs.  The firewall/suricata cannot see this IP so i created a list under past list called home_net and added it from the drop down to HOMENET field

    I have a mailserver that i want never to be blocked. Its external.
    I created a second passlist and assigned it from drop down to the passlist field

    Is this the correct way to do it?

    Yep, that is the correct way with one small caveat for the new inline IPS mode.  Inline IPS mode has no concept of the Pass List as it was used in the Legacy Mode.  If you are using inline IPS mode and want particular external hosts (meaning any IP that is not a local firewall interface) to not be blocked (dropped), you will need to use the IP Reputation stuff and an IP Whitelist there.  I need to get around to creating some new documentation for that area.

    Bill


  • Thanks!
    Yes still in legacy mode until, I fully understand how the inline works.


  • Wishlist Item

    When listing internal IPs in alerts tab it uses the real IP and not the IP of the external pfsense interface.

    For example…
    client = 1.2.3.4
    router external iface = 2.2.3.4
    ISP modem = 2.2.3.1

    ping from any client to ISP modem.
    In alerts log would be DST = 2.2.3.1 and SRC = 2.2.3.4


  • @pfsenseboonie:

    Wishlist Item

    When listing internal IPs in alerts tab it uses the real IP and not the IP of the external pfsense interface.

    For example…
    client = 1.2.3.4
    router external iface = 2.2.3.4
    ISP modem = 2.2.3.1

    ping from any client to ISP modem.
    In alerts log would be DST = 2.2.3.1 and SRC = 2.2.3.4

    Running Suricata (or Snort) on the WAN means the sensor sees inbound traffic before any NAT rules have applied, and outbound traffic after NAT rules have been applied.  Either way internal hosts are generally not visible if you use NAT and have Suricata or Snort on the WAN.  The solution to this problem is to run the sensor on your LAN interface(s) and not the WAN when using NAT.

    Bill