Netgate Store

Author Topic: No Alerts using Suricata inline mode.  (Read 1368 times)

0 Members and 1 Guest are viewing this topic.

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3429
  • Karma: +898/-0
    • View Profile
Re: No Alerts using Suricata inline mode.
« Reply #15 on: January 24, 2018, 08:50:25 pm »
Suricata using Inline IPS Mode will automatically generate some PASS rules as it emulates the behavior of the default Pass List used with Legacy Mode.  Those rules will be in a file named passlist.rules in this path --

/usr/local/etc/suricata/suricata_xxxxx/rules  where xxxxx will be a random UUID and the physical interface name.

Take a look in that file, or even better, post its contents back here and let me take a look.  I wonder if the code is generating an automatic pass list that is too broad.

Bill

Offline teamits

  • Jr. Member
  • **
  • Posts: 42
  • Karma: +4/-0
    • View Profile
Re: No Alerts using Suricata inline mode.
« Reply #16 on: January 25, 2018, 10:40:02 am »
passlist.rules is empty in legacy mode.  In inline mode it has:

pass ip 8.8.4.4/32 any <> any any (msg:"Pass List Entry - allow all traffic from/to 8.8.4.4/32"; sid:1000001;)
pass ip 10.15.55.1/32 any <> any any (msg:"Pass List Entry - allow all traffic from/to 10.15.55.1/32"; sid:1000002;)
pass ip 10.15.55.42/32 any <> any any (msg:"Pass List Entry - allow all traffic from/to 10.15.55.42/32"; sid:1000003;)
pass ip 10.15.55.43 any <> any any (msg:"Pass List Entry - allow all traffic from/to 10.15.55.43"; sid:1000004;)
pass ip 10.15.55.43/32 any <> any any (msg:"Pass List Entry - allow all traffic from/to 10.15.55.43/32"; sid:1000005;)
pass ip 10.99.99.0/24 any <> any any (msg:"Pass List Entry - allow all traffic from/to 10.99.99.0/24"; sid:1000006;)
pass ip 64.79.96.148/29 any <> any any (msg:"Pass List Entry - allow all traffic from/to 64.79.96.148/29"; sid:1000007;)
pass ip 72.35.12.0/24 any <> any any (msg:"Pass List Entry - allow all traffic from/to 72.35.12.0/24"; sid:1000008;)
pass ip 72.35.23.0/24 any <> any any (msg:"Pass List Entry - allow all traffic from/to 72.35.23.0/24"; sid:1000009;)
pass ip 74.122.194.0/25 any <> any any (msg:"Pass List Entry - allow all traffic from/to 74.122.194.0/25"; sid:1000010;)
pass ip 127.0.0.1/32 any <> any any (msg:"Pass List Entry - allow all traffic from/to 127.0.0.1/32"; sid:1000011;)
pass ip 173.165.105.46 any <> any any (msg:"Pass List Entry - allow all traffic from/to 173.165.105.46"; sid:1000012;)
pass ip 192.162.216.0/22 any <> any any (msg:"Pass List Entry - allow all traffic from/to 192.162.216.0/22"; sid:1000013;)
pass ip 208.70.128.0/21 any <> any any (msg:"Pass List Entry - allow all traffic from/to 208.70.128.0/21"; sid:1000014;)
pass ip ::1/128 any <> any any (msg:"Pass List Entry - allow all traffic from/to ::1/128"; sid:1000015;)
pass ip fe80::21b:21ff:fe24:593/128 any <> any any (msg:"Pass List Entry - allow all traffic from/to fe80::21b:21ff:fe24:593/128"; sid:1000016;)
pass ip fe80::225:64ff:feaf:8afd/128 any <> any any (msg:"Pass List Entry - allow all traffic from/to fe80::225:64ff:feaf:8afd/128"; sid:1000017;)

10.15.55.0/24 is the WAN side.  .42 is the WAN IP of this router and .43 is a virtual IP on WAN.  The public IPs and one of the 10.15.55.43 entries are from a passlist configured in Suricata.  8.8.4.4 and 10.15.55.1 I think it picks up as DNS servers for this router.  10.99.99.0/24 is our LAN.  10.15.55.1 is the WAN gateway (building router).

Edit: Our dropsid.conf contains:
emerging-activex,emerging-attack_response,emerging-botcc.portgrouped,emerging-botcc,emerging-ciarmy,emerging-compromised,emerging-current_events,emerging-deleted,emerging-dos,emerging-exploit,emerging-games,emerging-info,emerging-malware,emerging-mobile_malware,emerging-p2p,emerging-policy,emerging-scada,emerging-scan,emerging-shellcode,emerging-tor,emerging-trojan,emerging-user_agents,emerging-web_client,emerging-web_server,emerging-worm,decoder-events,dns-events,GPLv2_community,http-events,smtp-events,tls-events
« Last Edit: January 25, 2018, 10:44:28 am by teamits »

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3429
  • Karma: +898/-0
    • View Profile
Re: No Alerts using Suricata inline mode.
« Reply #17 on: January 25, 2018, 01:16:08 pm »
passlist.rules is empty in legacy mode.  In inline mode it has:

pass ip 8.8.4.4/32 any <> any any (msg:"Pass List Entry - allow all traffic from/to 8.8.4.4/32"; sid:1000001;)
pass ip 10.15.55.1/32 any <> any any (msg:"Pass List Entry - allow all traffic from/to 10.15.55.1/32"; sid:1000002;)
pass ip 10.15.55.42/32 any <> any any (msg:"Pass List Entry - allow all traffic from/to 10.15.55.42/32"; sid:1000003;)
pass ip 10.15.55.43 any <> any any (msg:"Pass List Entry - allow all traffic from/to 10.15.55.43"; sid:1000004;)
pass ip 10.15.55.43/32 any <> any any (msg:"Pass List Entry - allow all traffic from/to 10.15.55.43/32"; sid:1000005;)
pass ip 10.99.99.0/24 any <> any any (msg:"Pass List Entry - allow all traffic from/to 10.99.99.0/24"; sid:1000006;)
pass ip 64.79.96.148/29 any <> any any (msg:"Pass List Entry - allow all traffic from/to 64.79.96.148/29"; sid:1000007;)
pass ip 72.35.12.0/24 any <> any any (msg:"Pass List Entry - allow all traffic from/to 72.35.12.0/24"; sid:1000008;)
pass ip 72.35.23.0/24 any <> any any (msg:"Pass List Entry - allow all traffic from/to 72.35.23.0/24"; sid:1000009;)
pass ip 74.122.194.0/25 any <> any any (msg:"Pass List Entry - allow all traffic from/to 74.122.194.0/25"; sid:1000010;)
pass ip 127.0.0.1/32 any <> any any (msg:"Pass List Entry - allow all traffic from/to 127.0.0.1/32"; sid:1000011;)
pass ip 173.165.105.46 any <> any any (msg:"Pass List Entry - allow all traffic from/to 173.165.105.46"; sid:1000012;)
pass ip 192.162.216.0/22 any <> any any (msg:"Pass List Entry - allow all traffic from/to 192.162.216.0/22"; sid:1000013;)
pass ip 208.70.128.0/21 any <> any any (msg:"Pass List Entry - allow all traffic from/to 208.70.128.0/21"; sid:1000014;)
pass ip ::1/128 any <> any any (msg:"Pass List Entry - allow all traffic from/to ::1/128"; sid:1000015;)
pass ip fe80::21b:21ff:fe24:593/128 any <> any any (msg:"Pass List Entry - allow all traffic from/to fe80::21b:21ff:fe24:593/128"; sid:1000016;)
pass ip fe80::225:64ff:feaf:8afd/128 any <> any any (msg:"Pass List Entry - allow all traffic from/to fe80::225:64ff:feaf:8afd/128"; sid:1000017;)

10.15.55.0/24 is the WAN side.  .42 is the WAN IP of this router and .43 is a virtual IP on WAN.  The public IPs and one of the 10.15.55.43 entries are from a passlist configured in Suricata.  8.8.4.4 and 10.15.55.1 I think it picks up as DNS servers for this router.  10.99.99.0/24 is our LAN.  10.15.55.1 is the WAN gateway (building router).

Edit: Our dropsid.conf contains:
emerging-activex,emerging-attack_response,emerging-botcc.portgrouped,emerging-botcc,emerging-ciarmy,emerging-compromised,emerging-current_events,emerging-deleted,emerging-dos,emerging-exploit,emerging-games,emerging-info,emerging-malware,emerging-mobile_malware,emerging-p2p,emerging-policy,emerging-scada,emerging-scan,emerging-shellcode,emerging-tor,emerging-trojan,emerging-user_agents,emerging-web_client,emerging-web_server,emerging-worm,decoder-events,dns-events,GPLv2_community,http-events,smtp-events,tls-events

The passlist.rules file is only generated and used when Inline IPS Mode is active.  Legacy Mode has a completely different process.

Looking at the list I can see that my original logic was flawed in some ways.  The passlist is "too inclusive".  What I was trying to do was re-create the sort of "automatic pass list" process that Legacy Mode has per the request of users.  But the effect with Inline IPS Mode is going to be different.  This is an overly broad pass list.  I should rework it to include maybe only the firewall interface IPs themselves without the network subnets.  What is happening now is the pass list is way too broad and winds up telling Suricata to skip looking at a lot of stuff.

I'm going to back this change out or else completely re-think the logic.  I will do that in the next update.

Bill

Offline teamits

  • Jr. Member
  • **
  • Posts: 42
  • Karma: +4/-0
    • View Profile
Re: No Alerts using Suricata inline mode.
« Reply #18 on: January 25, 2018, 01:53:12 pm »
So for clarity, does the pass list set under "Networks Suricata Should Inspect and Protect"/Pass List not apply in Inline mode?  Or are you saying that passlist.rules incorporates that, but works in a different way?

viewing our pass list under "Networks Suricata Should Inspect and Protect"/Pass List shows the same list:
8.8.4.4/32
10.15.55.1/32
10.15.55.42/32
10.15.55.43
10.15.55.43/32
10.99.99.0/24
64.79.96.148/29
72.35.12.0/24
72.35.23.0/24
74.122.194.0/25
127.0.0.1/32
173.165.105.46
192.162.216.0/22
208.70.128.0/21
::1/128
fe80::21b:21ff:fe24:593/128
fe80::225:64ff:feaf:8afd/128

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3429
  • Karma: +898/-0
    • View Profile
Re: No Alerts using Suricata inline mode.
« Reply #19 on: January 25, 2018, 10:32:42 pm »
So for clarity, does the pass list set under "Networks Suricata Should Inspect and Protect"/Pass List not apply in Inline mode?  Or are you saying that passlist.rules incorporates that, but works in a different way?

viewing our pass list under "Networks Suricata Should Inspect and Protect"/Pass List shows the same list:
8.8.4.4/32
10.15.55.1/32
10.15.55.42/32
10.15.55.43
10.15.55.43/32
10.99.99.0/24
64.79.96.148/29
72.35.12.0/24
72.35.23.0/24
74.122.194.0/25
127.0.0.1/32
173.165.105.46
192.162.216.0/22
208.70.128.0/21
::1/128
fe80::21b:21ff:fe24:593/128
fe80::225:64ff:feaf:8afd/128

It's a little "yes" and a little "no" ...  :)

You can create a Pass List now with Inline IPS Mode but the result is a bit different.  With Legacy Mode, you still see alerts on Pass List IP addresses, but they never generate blocks.  This is due to how the custom plugin I wrote operates in conjunction with the packet filter firewall in pfSense.  Inline IPS Mode is different as it is native Suricata code (no customization).  The only way to simulate a pass list like Legacy Mode uses is to generate rules for the IP addresses with PASS as the action.  When Suricata is operating in Inline IPS Mode and encounters a rule with PASS as the action, it does just that -- lets the traffic pass with no inspection and no delay.  This means no alerts show up for pass list traffic when using Inline IPS Mode.

The automatic pass list rules for Inline IPS Mode are to broad in that they let anything go by where the pass list IP is on either end of the connection (source or destination).

Bill

Offline teamits

  • Jr. Member
  • **
  • Posts: 42
  • Karma: +4/-0
    • View Profile
Re: No Alerts using Suricata inline mode.
« Reply #20 on: April 04, 2018, 10:29:35 am »
Hi Bill, I saw there was a new Suricata package, updated, enabled Inline mode, and am seeing alerts/blocks!  Hooray!

Semi-related to this thread, since we were talking about pass lists, I noticed the Pass List setting was removed for Inline mode.  We had a few external things in there like our anti-spam service and our web server cluster, that we didn't want to block.  Is there still a way to accomplish that?  Or just add to the suppress list as alerts happen?

Thanks,
Steve

Offline teamits

  • Jr. Member
  • **
  • Posts: 42
  • Karma: +4/-0
    • View Profile
Re: No Alerts using Suricata inline mode.
« Reply #21 on: April 04, 2018, 10:35:29 am »
Never mind, I found the release notes at https://forum.pfsense.org/index.php?topic=145489.0 and even better https://forum.pfsense.org/index.php?topic=145257.msg790339 that discuss pass lists.
« Last Edit: April 04, 2018, 10:41:34 am by teamits »

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3429
  • Karma: +898/-0
    • View Profile
Re: No Alerts using Suricata inline mode.
« Reply #22 on: April 04, 2018, 10:11:04 pm »
Never mind, I found the release notes at https://forum.pfsense.org/index.php?topic=145489.0 and even better https://forum.pfsense.org/index.php?topic=145257.msg790339 that discuss pass lists.

You can use custom PASS rules to create a pass list, but just be careful as I warned in the posts you linked.  It is probably better to watch and either disable the bothersome rules, or use suppress lists and either of the "filter by IP" options that are available when you click the plus sign (+) beside the IP address columns on the ALERTS tab.  Doing it that way allows a rule-by-rule tuning and even limiting that to certain hosts (IP addresses).  Using a pass list is more like using a large hammer when what you really need is a jeweler's screwdriver.  With a PASS rule that filters only on an address, you are potentially exposing the whitelisted host to a lot of malicious stuff.

Bill