Intrusion Prevention System (Suricata) completely blocks my external network connection !

General questions.
tikok974
Posts: 71
Joined: January 3rd, 2017, 9:53 am

Re: Intrusion Prevention System (Suricata) completely blocks my external network connection !

Post by tikok974 » July 18th, 2019, 8:00 am

Arne.F wrote:
July 18th, 2019, 6:40 am
The "policy" rules are intended to detect traffic from lan to wan that is some programs (based on the user-agent string)
This connection run's via the proxy so you see only the firewal as source.

If you dont want block lokal programs you should disable the matching "policy" rules.
Hi Arne.F,
We use IPFire 2.23 (x86_64) - Core Update 134 . We only filter the "Red" interface (WAN) with Suricata.

If i understand correctly, the reason why our external IP address appears as "Source" is because it is our Squid proxy that makes the request.

I cannot Whitelister our external IP address because I might miss a possible problem on our network. So I have to deal with the rules one by one when the blockage occurs...

So I don't understand if only the source is concerned by the Whitelist or the 2...source and destination ?

Thanks

tikok974
Posts: 71
Joined: January 3rd, 2017, 9:53 am

Re: Intrusion Prevention System (Suricata) completely blocks my external network connection !

Post by tikok974 » July 18th, 2019, 9:06 am

Another strange thing I see in the logs.

As we can see below:

Code: Select all

...
...
07/18/2019-10:55:02.528357  [Drop] [**] [1:2025275:1] ET INFO Windows OS Submitting USB Metadata to Microsoft [**] [Classification: Misc activity] [Priority: 3] {TCP} 9X.2X5.XXX.X46:36608 -> 52.138.148.89:80
07/18/2019-10:55:19.743054  [Drop] [**] [1:2010935:3] ET SCAN Suspicious inbound to MSSQL port 1433 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 124.202.173.42:59245 -> 9X.2X5.XXX.X46:1433
07/18/2019-10:55:22.753472  [Drop] [**] [1:2010935:3] ET SCAN Suspicious inbound to MSSQL port 1433 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 124.202.173.42:59245 -> 9X.2X5.XXX.X46:1433
07/18/2019-10:55:34.429391  [Drop] [**] [1:2025275:1] ET INFO Windows OS Submitting USB Metadata to Microsoft [**] [Classification: Misc activity] [Priority: 3] {TCP} 9X.2X5.XXX.X46:41120 -> 52.138.148.89:80
07/18/2019-10:56:06.408796  [Drop] [**] [1:2025275:1] ET INFO Windows OS Submitting USB Metadata to Microsoft [**] [Classification: Misc activity] [Priority: 3] {TCP} 9X.2X5.XXX.X46:45568 -> 52.138.148.89:80
07/18/2019-10:56:29.983104  [Drop] [**] [1:2402000:5238] ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 198.108.67.107:43084 -> 9X.2X5.XXX.X46:8872
07/18/2019-10:56:38.429081  [Drop] [**] [1:2025275:1] ET INFO Windows OS Submitting USB Metadata to Microsoft [**] [Classification: Misc activity] [Priority: 3] {TCP} 9X.2X5.XXX.X46:49850 -> 52.138.148.89:80
07/18/2019-10:57:10.479179  [Drop] [**] [1:2025275:1] ET INFO Windows OS Submitting USB Metadata to Microsoft [**] [Classification: Misc activity] [Priority: 3] {TCP} 9X.2X5.XXX.X46:54456 -> 52.138.148.89:80
07/18/2019-10:57:42.432553  [Drop] [**] [1:2025275:1] ET INFO Windows OS Submitting USB Metadata to Microsoft [**] [Classification: Misc activity] [Priority: 3] {TCP} 9X.2X5.XXX.X46:58748 -> 52.138.148.89:80
...
...
...our external ip address (9X.2X5.XXX.X46) present in "source" is dropped again except that...in there...with the rule concerned (ET INFO Windows OS Submitting USB Metadata to Microsoft ) I do not notice any Internet outage !

I don't understand!...because if that's the problem...I should have noticed a break in our network like the times before !

Which brings me to the next question...is there a time lag between the trace of the DROP that appears in the log and the actual application of this DROP on the network ?

Also, does the priority assigned to a traffic affect the way it is "dropped" ?

Thanks

tikok974
Posts: 71
Joined: January 3rd, 2017, 9:53 am

Re: Intrusion Prevention System (Suricata) completely blocks my external network connection !

Post by tikok974 » July 18th, 2019, 10:21 am

Another example:

Code: Select all

...
...
07/18/2019-12:08:54.487561  [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 9X.2X5.XXX.X46:53546 -> 2.16.186.58:80
07/18/2019-12:10:54.740668  [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 9X.2X5.XXX.X46:60348 -> 2.16.186.83:80
07/18/2019-12:12:26.038624  [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 9X.2X5.XXX.X46:53368 -> 2.16.186.58:80
07/18/2019-12:12:26.088578  [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 9X.2X5.XXX.X46:42896 -> 104.123.50.121:80
07/18/2019-12:12:54.911559  [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 9X.2X5.XXX.X46:57412 -> 2.16.186.58:80
07/18/2019-12:14:26.282564  [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 9X.2X5.XXX.X46:38944 -> 104.123.50.67:80
07/18/2019-12:14:26.282976  [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 9X.2X5.XXX.X46:40250 -> 104.123.50.16:80
07/18/2019-12:16:26.489302  [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 9X.2X5.XXX.X46:40018 -> 2.16.186.57:80
07/18/2019-12:16:26.568342  [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 9X.2X5.XXX.X46:58622 -> 2.16.186.58:80
...
...
...It's 12:20 AM and our network is still operational for the moment !

Thanks

User avatar
Arne.F
Core Developer
Core Developer
Posts: 8449
Joined: May 7th, 2006, 8:57 am
Location: BS <-> NDH
Contact:

Re: Intrusion Prevention System (Suricata) completely blocks my external network connection !

Post by Arne.F » July 18th, 2019, 10:23 am

Normal there sould be no outage at all. It should drop only that connection that match to the rule but if this initated by the dns resolver my looks like a complete outage because nearly all services need dns before they can made the main connection.
Arne

Support the project on the donation!

Image

Image

Image
PS: I will not answer support questions via email and ignore IPFire related messages on my non IPFire.org mail addresses.

tikok974
Posts: 71
Joined: January 3rd, 2017, 9:53 am

Re: Intrusion Prevention System (Suricata) completely blocks my external network connection !

Post by tikok974 » July 18th, 2019, 10:43 am

Re,

OK...thanks Arne.F for your reply.

So the problem seems to be moving towards the DNS. However, traffic including our resolver should not be blocked since I have put the 2 DNSfilter servers on a white list :(

Thanks

tikok974
Posts: 71
Joined: January 3rd, 2017, 9:53 am

Re: Intrusion Prevention System (Suricata) completely blocks my external network connection !

Post by tikok974 » July 18th, 2019, 10:57 am

While I was writing the post above I received DROPs again on our DNS servers:

Code: Select all

07/18/2019-12:36:10.641084  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:51197 -> 103.247.37.37:53
07/18/2019-12:36:10.711225  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:35025 -> 103.247.37.37:53
07/18/2019-12:36:10.781340  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:60015 -> 103.247.36.36:53
07/18/2019-12:36:10.831761  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:21370 -> 103.247.36.36:53
07/18/2019-12:36:10.881890  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:5907 -> 103.247.37.37:53
07/18/2019-12:36:11.022151  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:36512 -> 103.247.37.37:53
07/18/2019-12:36:11.162455  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:61840 -> 103.247.37.37:53
07/18/2019-12:36:11.445786  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:18647 -> 103.247.37.37:53
07/18/2019-12:36:11.726257  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:25216 -> 103.247.36.36:53
07/18/2019-12:36:11.776370  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:46967 -> 103.247.36.36:53
07/18/2019-12:36:11.826637  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:36495 -> 103.247.37.37:53
07/18/2019-12:36:11.899956  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:32225 -> 103.247.37.37:53
07/18/2019-12:36:11.972373  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:41004 -> 103.247.37.37:53
07/18/2019-12:36:12.116685  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:57739 -> 103.247.37.37:53
07/18/2019-12:36:12.259262  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:11891 -> 103.247.36.36:53
07/18/2019-12:36:12.359437  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:24830 -> 103.247.36.36:53
07/18/2019-12:36:12.459643  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:16926 -> 103.247.36.36:53
07/18/2019-12:36:12.662926  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:33371 -> 103.247.36.36:53
07/18/2019-12:36:12.716050  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:21695 -> 103.247.36.36:53
07/18/2019-12:36:12.816191  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:31007 -> 103.247.36.36:53
07/18/2019-12:36:12.866467  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:56915 -> 103.247.36.36:53
07/18/2019-12:36:12.967968  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:25439 -> 103.247.36.36:53
07/18/2019-12:36:13.066937  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:24925 -> 103.247.37.37:53
07/18/2019-12:36:13.137195  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:14157 -> 103.247.37.37:53
07/18/2019-12:36:13.207325  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:23148 -> 103.247.37.37:53
07/18/2019-12:36:13.347596  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:37595 -> 103.247.37.37:53
07/18/2019-12:36:19.078333  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:57186 -> 103.247.37.37:53
07/18/2019-12:36:19.139456  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:40591 -> 103.247.37.37:53
07/18/2019-12:36:19.202900  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:42896 -> 103.247.36.36:53
07/18/2019-12:36:19.313312  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:16086 -> 103.247.36.36:53
07/18/2019-12:36:19.422909  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:45928 -> 103.247.36.36:53
07/18/2019-12:36:19.639369  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:24028 -> 103.247.36.36:53
07/18/2019-12:36:19.856409  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:45441 -> 103.247.37.37:53
07/18/2019-12:36:19.980766  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:65322 -> 103.247.37.37:53
07/18/2019-12:36:20.103932  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:62465 -> 103.247.37.37:53
07/18/2019-12:36:20.350022  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:31442 -> 103.247.37.37:53
07/18/2019-12:36:20.412756  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:27795 -> 103.247.37.37:53
07/18/2019-12:36:20.537025  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:52991 -> 103.247.37.37:53
07/18/2019-12:36:20.659373  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:51177 -> 103.247.37.37:53
07/18/2019-12:36:20.905833  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:49673 -> 103.247.37.37:53
07/18/2019-12:36:21.152279  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:43867 -> 103.247.36.36:53
07/18/2019-12:36:21.256594  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:35581 -> 103.247.36.36:53
07/18/2019-12:36:21.360933  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:14869 -> 103.247.36.36:53
07/18/2019-12:36:21.564793  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:56722 -> 103.247.36.36:53
07/18/2019-12:36:21.773363  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:36576 -> 103.247.36.36:53
07/18/2019-12:36:21.933629  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:63999 -> 103.247.36.36:53
07/18/2019-12:36:22.094038  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:28466 -> 103.247.36.36:53
07/18/2019-12:36:22.409855  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:56473 -> 103.247.36.36:53
07/18/2019-12:36:22.726904  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:35626 -> 103.247.37.37:53
07/18/2019-12:36:23.046329  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:9451 -> 103.247.37.37:53
07/18/2019-12:36:23.315932  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:62115 -> 103.247.36.36:53
07/18/2019-12:36:23.436109  [Drop] [**] [1:2018918:2] ET POLICY possible Xiaomi phone data leakage DNS [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 9X.2X5.XXX.X46:37412 -> 103.247.36.36:53
07/18/2019-12:37:19.869073  [Drop] [**] [1:2403365:50618] ET CINS Active Threat Intelligence Poor Reputation IP group 66 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 66.240.205.34:28693 -> 9X.2X5.XXX.X46:4664
07/18/2019-12:38:16.857034  [Drop] [**] [1:2402000:5238] ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 193.106.29.106:52974 -> 9X.2X5.XXX.X46:3513
07/18/2019-12:41:11.151532  [Drop] [**] [1:2403386:50618] ET CINS Active Threat Intelligence Poor Reputation IP group 87 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 82.221.128.73:61000 -> 9X.2X5.XXX.X46:15322
07/18/2019-12:42:39.537802  [Drop] [**] [1:2402000:5238] ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 198.108.67.108:23984 -> 9X.2X5.XXX.X46:3566
07/18/2019-12:43:37.652324  [Drop] [**] [1:2403369:50618] ET CINS Active Threat Intelligence Poor Reputation IP group 70 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 71.6.199.23:29011 -> 9X.2X5.XXX.X46:25105
...but however, for the moment... no Internet outages.

I don't understand !

Thanks

User avatar
Arne.F
Core Developer
Core Developer
Posts: 8449
Joined: May 7th, 2006, 8:57 am
Location: BS <-> NDH
Contact:

Re: Intrusion Prevention System (Suricata) completely blocks my external network connection !

Post by Arne.F » July 18th, 2019, 11:06 am

DNSfilter is not DNSSEC-aware (it strip the RRSIG records) so IPFire will reject it and fall back to local-recursor and ask the dns root-servers.
Arne

Support the project on the donation!

Image

Image

Image
PS: I will not answer support questions via email and ignore IPFire related messages on my non IPFire.org mail addresses.

tikok974
Posts: 71
Joined: January 3rd, 2017, 9:53 am

Re: Intrusion Prevention System (Suricata) completely blocks my external network connection !

Post by tikok974 » August 13th, 2019, 7:23 am

Hi Arne.F,

Sorry for my delay in responding may have been on holiday ;)
I use Core Update 134.

I also informed the DNSFilter support team and they made some changes on their side and asked me to do some more tests. So I reactivated Suricata and I'm watching.
I will keep you informed ;)

Thanks

tikok974
Posts: 71
Joined: January 3rd, 2017, 9:53 am

Re: Intrusion Prevention System (Suricata) completely blocks my external network connection !

Post by tikok974 » August 26th, 2019, 7:41 am

Hi everybody,

I spotted strange logs from Unbound a few minutes before a new Internet access problem related to the DNS (ping on IP OK but no longer possible to resolve names).
Here is what I have seen:

Code: Select all

...
...
Aug 23 10:48:48 myfirewall unbound: [30495:0] info: validation failure local. SOA IN
Aug 23 10:48:53 myfirewall unbound: [30495:0] info: validation failure ?2620?100?6024?1??162.125.68.1?. A IN
Aug 23 10:48:54 myfirewall unbound: [30495:0] info: validation failure ?2620?100?6023?1??162.125.67.1?. A IN
...
...
Aug 23 10:48:55 myfirewall unbound: [30495:0] info: validation failure ?2620?100?6019?1??162.125.4.1?. A IN
Aug 23 10:48:56 myfirewall unbound: [30495:1] info: validation failure ?2620?100?6022?1??162.125.66.1?. A IN
...
...
Aug 23 10:48:57 myfirewall unbound: [30495:0] info: validation failure ?2620?100?601f?1??162.125.9.1?. A IN
Aug 23 10:48:58 myfirewall unbound: [30495:0] info: validation failure ?2620?100?6025?1??162.125.69.1?. A IN
...
...
Aug 23 10:48:59 myfirewall unbound: [30495:1] info: validation failure ?2620?100?6020?1??162.125.64.1?. A IN
Aug 23 10:49:00 myfirewall unbound: [30495:0] info: validation failure ?2620?100?6021?1??162.125.65.1?. A IN
Aug 23 10:49:01 myfirewall unbound: [30495:1] info: validation failure ?2620?100?601c?1??162.125.6.1?. A IN
Aug 23 10:49:02 myfirewall unbound: [30495:0] info: validation failure ?2620?100?601b?1??162.125.8.1?. A IN
Aug 23 10:49:05 myfirewall unbound: [30495:0] info: validation failure ?2620?100?601d?1??162.125.5.1?. A IN
...
...
Aug 23 10:49:06 myfirewall unbound: [30495:0] info: validation failure ?2620?100?6026?1??162.125.70.1?. A IN
Aug 23 10:49:07 myfirewall unbound: [30495:1] info: validation failure ?2620?100?6032?1??162.125.82.1?. A IN
...
...
Aug 23 10:49:08 myfirewall unbound: [30495:1] info: validation failure ?2620?100?6017?1??162.125.2.1?. A IN
Aug 23 10:49:09 myfirewall unbound: [30495:0] info: validation failure ?2620?100?6030?1??162.125.80.1?. A IN
Aug 23 10:49:10 myfirewall unbound: [30495:1] info: validation failure ?2620?100?6018?1??162.125.3.1?. A IN
Aug 23 10:49:11 myfirewall unbound: [30495:0] info: validation failure ?2620?100?6028?1??162.125.71.1?. A IN
Aug 23 10:49:12 myfirewall unbound: [30495:1] info: validation failure ?2620?100?6016?1??162.125.1.1?. A IN
...
...
Aug 23 10:49:13 myfirewall unbound: [30495:1] info: validation failure ?2620?100?6031?1??162.125.81.1?. A IN
Aug 23 10:49:14 myfirewall unbound: [30495:0] info: validation failure ?2620?100?601a?1??162.125.7.1?. A IN
...
...

Wouldn't these weird entries make Unbound crash ?

...because after I restarted Unbound, everything went back to normal...and the internet access was back online !

Thanks

tikok974
Posts: 71
Joined: January 3rd, 2017, 9:53 am

Re: Intrusion Prevention System (Suricata) completely blocks my external network connection !

Post by tikok974 » September 10th, 2019, 1:51 pm

Hi everybody,

Anyone has any idea where these strange entries in the Unbound log above can come from ?

I'm trying to understand if this could be the cause of my DNS problems...and therefore inaccessible to the Internet ? Could these entries cause a Unbound crash ?

So, regarding Suricata, could it, for one reason or another, block DNS traffic and crash Unbound ?

I had to create a bash script to monitor the connectivity and automatically start Suricata, then if that's not enough Unbound and finally if that's not enough RED network interface !

In most cases, restarting Suricata is enough...it's strange, isn't it ?

Also I noticed in the interface for the DNSSEC status, in the rDNS column it says "Reverse lookup failed" for my 2 DNS servers !
Capture d’écran_2019-09-10_15-56-54.png
Could this also be the cause of my cuts ?

Many thanks

JonM
Posts: 131
Joined: August 4th, 2017, 5:49 pm
Location: US

Re: Intrusion Prevention System (Suricata) completely blocks my external network connection !

Post by JonM » September 10th, 2019, 4:17 pm

@tikok974 - you may want to read through these threads. It looks like the IPFire Devs are discussing issues with the Suricata Team.

Suricata causes massive packet loss
https://lists.ipfire.org/pipermail/deve ... 06244.html

Testing report regarding image
https://lists.ipfire.org/pipermail/deve ... 06273.html
Production:
Image

Testing Raspi 3B+:
Image

tikok974
Posts: 71
Joined: January 3rd, 2017, 9:53 am

Re: Intrusion Prevention System (Suricata) completely blocks my external network connection !

Post by tikok974 » September 11th, 2019, 7:32 am

Hi everybody,

Thank @JonM for your reply.

I now know that I am not the only one who has had problems with connectivity on my network. I didn't have as many connectivity problems before the release of Ipfire which introduced Suricata.

So I do think that there is something that is jamming and that is very random... which makes it very difficult to reproduce!
Courage to all those who are trying to find out where the problem comes from...we will get there.

This morning again, I had another surprise with the connectivity of my network to the Internet that my verification script could not solve :(

Indeed, in my script, I test via the ping and dig commands that the connection is done properly on 3 different sites. If 2 sites are problematic, then the script first restarts Suricata and retests the connection...then if this is not enough, it restarts Unbound...and finally if this is still not enough...it restarts the connection on the RED0 interface.
Well, this morning... I had a problem with the Internet connection and it came from... Squid !
ping and dig on the 3 sites, it worked perfectly. So the script had no reason to restart the services. On the other hand, by going to the Internet via a browser...impossible to display the sites !
So I had to stop Suricata via the GUI and then reactivate it !

I then have a question, does anyone know a command line way for me to test the accessibility of a website using HTTP or HTTPS ?
I would then like to add this command to my script...so the script could also see when the connectivity problem blocks the Squid proxy only.

Thank you.

ummeegge
Community Developer
Community Developer
Posts: 4923
Joined: October 9th, 2010, 10:00 am

Re: Intrusion Prevention System (Suricata) completely blocks my external network connection !

Post by ummeegge » September 11th, 2019, 2:07 pm

Hi,
tikok974 wrote:
September 11th, 2019, 7:32 am
I then have a question, does anyone know a command line way for me to test the accessibility of a website using HTTP or HTTPS ?
I would then like to add this command to my script...so the script could also see when the connectivity problem blocks the Squid proxy only.
may with curl ? e.g.

Code: Select all

curl -s --head  --request GET https://www.ipfire.org
with Proxy

Code: Select all

curl -s --head  --request GET https://www.ipfire.org -x {PROXY_IP:PORT}
if the site is reachable you will get a

Code: Select all

HTTP/1.1 200 OK
if it is not a

Code: Select all

HTTP/1.1 503 Service Unavailable
if the proxy does not work you will get nothing but it needs some time until the timeout arises, so why not setting a "max-time value" (--max-time 3?) .
In a possible statement grep for a 200 OK then ?
e.g.

Code: Select all

if curl --max-time 3 -s --head  --request GET https://www.ipfire.org -x 192.168.2.1:800 | grep "200 OK"  > /dev/null; then
    echo "Up"
else
    echo "Down --> Do something"
fi
<-- If needed adapt the Proxy addresse to your needs ;-) .

You can also invert the statement with a "!" so you can check only if the site is down.

As a first idea..

UE
Image
Image

tikok974
Posts: 71
Joined: January 3rd, 2017, 9:53 am

Re: Intrusion Prevention System (Suricata) completely blocks my external network connection !

Post by tikok974 » September 11th, 2019, 2:45 pm

Re,
Thank @Ummeegge for your reply !

I had indeed done some tests with Curl this morning and I had found this solution:

Code: Select all

declare -a ServerArray2=("www.ipfire.org" "www.wikipedia.fr" "www.amazon.com")
for Serv in ${ServerArray2[@]}; do
        curl $Serv >/tmp/test.log 2>&1
        if cat /tmp/test.log | grep "Could not resolve host" >/dev/null
                then
                        echo ""
                        echo ""
                        echo "++++++++++++++++++++++"
                        echo "Site $Serv inacessible"
                        echo "++++++++++++++++++++++"
                else
                        echo ""
                        echo ""
                        echo "+++++++++++++"
                        echo "Site $Serv OK"
                        echo "+++++++++++++"
        fi
done
Thank you again for taking the time to answer me.
It is always very interesting to have several solutions ;)
I'm going to readjust my script with your command which is more elegant ;)

Post Reply