Netgate SG-1000 microFirewall

Author Topic: No Alerts using Suricata inline mode.  (Read 748 times)

0 Members and 1 Guest are viewing this topic.

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3288
  • Karma: +861/-0
    • View Profile
Re: No Alerts using Suricata inline mode.
« Reply #15 on: January 24, 2018, 08:50:25 pm »
Suricata using Inline IPS Mode will automatically generate some PASS rules as it emulates the behavior of the default Pass List used with Legacy Mode.  Those rules will be in a file named passlist.rules in this path --

/usr/local/etc/suricata/suricata_xxxxx/rules  where xxxxx will be a random UUID and the physical interface name.

Take a look in that file, or even better, post its contents back here and let me take a look.  I wonder if the code is generating an automatic pass list that is too broad.

Bill

Offline teamits

  • Jr. Member
  • **
  • Posts: 39
  • Karma: +4/-0
    • View Profile
Re: No Alerts using Suricata inline mode.
« Reply #16 on: January 25, 2018, 10:40:02 am »
passlist.rules is empty in legacy mode.  In inline mode it has:

pass ip 8.8.4.4/32 any <> any any (msg:"Pass List Entry - allow all traffic from/to 8.8.4.4/32"; sid:1000001;)
pass ip 10.15.55.1/32 any <> any any (msg:"Pass List Entry - allow all traffic from/to 10.15.55.1/32"; sid:1000002;)
pass ip 10.15.55.42/32 any <> any any (msg:"Pass List Entry - allow all traffic from/to 10.15.55.42/32"; sid:1000003;)
pass ip 10.15.55.43 any <> any any (msg:"Pass List Entry - allow all traffic from/to 10.15.55.43"; sid:1000004;)
pass ip 10.15.55.43/32 any <> any any (msg:"Pass List Entry - allow all traffic from/to 10.15.55.43/32"; sid:1000005;)
pass ip 10.99.99.0/24 any <> any any (msg:"Pass List Entry - allow all traffic from/to 10.99.99.0/24"; sid:1000006;)
pass ip 64.79.96.148/29 any <> any any (msg:"Pass List Entry - allow all traffic from/to 64.79.96.148/29"; sid:1000007;)
pass ip 72.35.12.0/24 any <> any any (msg:"Pass List Entry - allow all traffic from/to 72.35.12.0/24"; sid:1000008;)
pass ip 72.35.23.0/24 any <> any any (msg:"Pass List Entry - allow all traffic from/to 72.35.23.0/24"; sid:1000009;)
pass ip 74.122.194.0/25 any <> any any (msg:"Pass List Entry - allow all traffic from/to 74.122.194.0/25"; sid:1000010;)
pass ip 127.0.0.1/32 any <> any any (msg:"Pass List Entry - allow all traffic from/to 127.0.0.1/32"; sid:1000011;)
pass ip 173.165.105.46 any <> any any (msg:"Pass List Entry - allow all traffic from/to 173.165.105.46"; sid:1000012;)
pass ip 192.162.216.0/22 any <> any any (msg:"Pass List Entry - allow all traffic from/to 192.162.216.0/22"; sid:1000013;)
pass ip 208.70.128.0/21 any <> any any (msg:"Pass List Entry - allow all traffic from/to 208.70.128.0/21"; sid:1000014;)
pass ip ::1/128 any <> any any (msg:"Pass List Entry - allow all traffic from/to ::1/128"; sid:1000015;)
pass ip fe80::21b:21ff:fe24:593/128 any <> any any (msg:"Pass List Entry - allow all traffic from/to fe80::21b:21ff:fe24:593/128"; sid:1000016;)
pass ip fe80::225:64ff:feaf:8afd/128 any <> any any (msg:"Pass List Entry - allow all traffic from/to fe80::225:64ff:feaf:8afd/128"; sid:1000017;)

10.15.55.0/24 is the WAN side.  .42 is the WAN IP of this router and .43 is a virtual IP on WAN.  The public IPs and one of the 10.15.55.43 entries are from a passlist configured in Suricata.  8.8.4.4 and 10.15.55.1 I think it picks up as DNS servers for this router.  10.99.99.0/24 is our LAN.  10.15.55.1 is the WAN gateway (building router).

Edit: Our dropsid.conf contains:
emerging-activex,emerging-attack_response,emerging-botcc.portgrouped,emerging-botcc,emerging-ciarmy,emerging-compromised,emerging-current_events,emerging-deleted,emerging-dos,emerging-exploit,emerging-games,emerging-info,emerging-malware,emerging-mobile_malware,emerging-p2p,emerging-policy,emerging-scada,emerging-scan,emerging-shellcode,emerging-tor,emerging-trojan,emerging-user_agents,emerging-web_client,emerging-web_server,emerging-worm,decoder-events,dns-events,GPLv2_community,http-events,smtp-events,tls-events
« Last Edit: January 25, 2018, 10:44:28 am by teamits »

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3288
  • Karma: +861/-0
    • View Profile
Re: No Alerts using Suricata inline mode.
« Reply #17 on: January 25, 2018, 01:16:08 pm »
passlist.rules is empty in legacy mode.  In inline mode it has:

pass ip 8.8.4.4/32 any <> any any (msg:"Pass List Entry - allow all traffic from/to 8.8.4.4/32"; sid:1000001;)
pass ip 10.15.55.1/32 any <> any any (msg:"Pass List Entry - allow all traffic from/to 10.15.55.1/32"; sid:1000002;)
pass ip 10.15.55.42/32 any <> any any (msg:"Pass List Entry - allow all traffic from/to 10.15.55.42/32"; sid:1000003;)
pass ip 10.15.55.43 any <> any any (msg:"Pass List Entry - allow all traffic from/to 10.15.55.43"; sid:1000004;)
pass ip 10.15.55.43/32 any <> any any (msg:"Pass List Entry - allow all traffic from/to 10.15.55.43/32"; sid:1000005;)
pass ip 10.99.99.0/24 any <> any any (msg:"Pass List Entry - allow all traffic from/to 10.99.99.0/24"; sid:1000006;)
pass ip 64.79.96.148/29 any <> any any (msg:"Pass List Entry - allow all traffic from/to 64.79.96.148/29"; sid:1000007;)
pass ip 72.35.12.0/24 any <> any any (msg:"Pass List Entry - allow all traffic from/to 72.35.12.0/24"; sid:1000008;)
pass ip 72.35.23.0/24 any <> any any (msg:"Pass List Entry - allow all traffic from/to 72.35.23.0/24"; sid:1000009;)
pass ip 74.122.194.0/25 any <> any any (msg:"Pass List Entry - allow all traffic from/to 74.122.194.0/25"; sid:1000010;)
pass ip 127.0.0.1/32 any <> any any (msg:"Pass List Entry - allow all traffic from/to 127.0.0.1/32"; sid:1000011;)
pass ip 173.165.105.46 any <> any any (msg:"Pass List Entry - allow all traffic from/to 173.165.105.46"; sid:1000012;)
pass ip 192.162.216.0/22 any <> any any (msg:"Pass List Entry - allow all traffic from/to 192.162.216.0/22"; sid:1000013;)
pass ip 208.70.128.0/21 any <> any any (msg:"Pass List Entry - allow all traffic from/to 208.70.128.0/21"; sid:1000014;)
pass ip ::1/128 any <> any any (msg:"Pass List Entry - allow all traffic from/to ::1/128"; sid:1000015;)
pass ip fe80::21b:21ff:fe24:593/128 any <> any any (msg:"Pass List Entry - allow all traffic from/to fe80::21b:21ff:fe24:593/128"; sid:1000016;)
pass ip fe80::225:64ff:feaf:8afd/128 any <> any any (msg:"Pass List Entry - allow all traffic from/to fe80::225:64ff:feaf:8afd/128"; sid:1000017;)

10.15.55.0/24 is the WAN side.  .42 is the WAN IP of this router and .43 is a virtual IP on WAN.  The public IPs and one of the 10.15.55.43 entries are from a passlist configured in Suricata.  8.8.4.4 and 10.15.55.1 I think it picks up as DNS servers for this router.  10.99.99.0/24 is our LAN.  10.15.55.1 is the WAN gateway (building router).

Edit: Our dropsid.conf contains:
emerging-activex,emerging-attack_response,emerging-botcc.portgrouped,emerging-botcc,emerging-ciarmy,emerging-compromised,emerging-current_events,emerging-deleted,emerging-dos,emerging-exploit,emerging-games,emerging-info,emerging-malware,emerging-mobile_malware,emerging-p2p,emerging-policy,emerging-scada,emerging-scan,emerging-shellcode,emerging-tor,emerging-trojan,emerging-user_agents,emerging-web_client,emerging-web_server,emerging-worm,decoder-events,dns-events,GPLv2_community,http-events,smtp-events,tls-events

The passlist.rules file is only generated and used when Inline IPS Mode is active.  Legacy Mode has a completely different process.

Looking at the list I can see that my original logic was flawed in some ways.  The passlist is "too inclusive".  What I was trying to do was re-create the sort of "automatic pass list" process that Legacy Mode has per the request of users.  But the effect with Inline IPS Mode is going to be different.  This is an overly broad pass list.  I should rework it to include maybe only the firewall interface IPs themselves without the network subnets.  What is happening now is the pass list is way too broad and winds up telling Suricata to skip looking at a lot of stuff.

I'm going to back this change out or else completely re-think the logic.  I will do that in the next update.

Bill

Offline teamits

  • Jr. Member
  • **
  • Posts: 39
  • Karma: +4/-0
    • View Profile
Re: No Alerts using Suricata inline mode.
« Reply #18 on: January 25, 2018, 01:53:12 pm »
So for clarity, does the pass list set under "Networks Suricata Should Inspect and Protect"/Pass List not apply in Inline mode?  Or are you saying that passlist.rules incorporates that, but works in a different way?

viewing our pass list under "Networks Suricata Should Inspect and Protect"/Pass List shows the same list:
8.8.4.4/32
10.15.55.1/32
10.15.55.42/32
10.15.55.43
10.15.55.43/32
10.99.99.0/24
64.79.96.148/29
72.35.12.0/24
72.35.23.0/24
74.122.194.0/25
127.0.0.1/32
173.165.105.46
192.162.216.0/22
208.70.128.0/21
::1/128
fe80::21b:21ff:fe24:593/128
fe80::225:64ff:feaf:8afd/128

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3288
  • Karma: +861/-0
    • View Profile
Re: No Alerts using Suricata inline mode.
« Reply #19 on: January 25, 2018, 10:32:42 pm »
So for clarity, does the pass list set under "Networks Suricata Should Inspect and Protect"/Pass List not apply in Inline mode?  Or are you saying that passlist.rules incorporates that, but works in a different way?

viewing our pass list under "Networks Suricata Should Inspect and Protect"/Pass List shows the same list:
8.8.4.4/32
10.15.55.1/32
10.15.55.42/32
10.15.55.43
10.15.55.43/32
10.99.99.0/24
64.79.96.148/29
72.35.12.0/24
72.35.23.0/24
74.122.194.0/25
127.0.0.1/32
173.165.105.46
192.162.216.0/22
208.70.128.0/21
::1/128
fe80::21b:21ff:fe24:593/128
fe80::225:64ff:feaf:8afd/128

It's a little "yes" and a little "no" ...  :)

You can create a Pass List now with Inline IPS Mode but the result is a bit different.  With Legacy Mode, you still see alerts on Pass List IP addresses, but they never generate blocks.  This is due to how the custom plugin I wrote operates in conjunction with the packet filter firewall in pfSense.  Inline IPS Mode is different as it is native Suricata code (no customization).  The only way to simulate a pass list like Legacy Mode uses is to generate rules for the IP addresses with PASS as the action.  When Suricata is operating in Inline IPS Mode and encounters a rule with PASS as the action, it does just that -- lets the traffic pass with no inspection and no delay.  This means no alerts show up for pass list traffic when using Inline IPS Mode.

The automatic pass list rules for Inline IPS Mode are to broad in that they let anything go by where the pass list IP is on either end of the connection (source or destination).

Bill