Suricata vs Guardian: Loss of IP blocking

General questions.
Post Reply
dnl
Posts: 375
Joined: June 28th, 2013, 11:03 am

Suricata vs Guardian: Loss of IP blocking

Post by dnl » May 21st, 2019, 9:56 am

I'm really glad that Suricata has been implemented in IPFire! Unfortunately a major feature has been lost.

Before with Guardian the IDS would block an IP which triggered a rule. Now the IPS only blocks the specific traffic which triggered that rule.

This is a major loss of functionality. Although it caused a lot of IPS log entries, I liked having every IP blacklisted for a (long) period of time.

Before...
  1. The suspicious traffic matching a rule was blocked
  2. The originating IP couldn't send packets to my network (as long as it was blacklisted)
  3. Devices on my network couldn't communicate outbound to the IP (as long as the IP was blacklisted)
but now...
  1. The suspicious traffic matching a rule is blocked...and the IP can keep communicating. There's no automated response - no automatic protection.
Is there any way the old functionality can be implemented again?
Can Guardian be adapted to fire on IPs from Suricata logs?

Thank you!
IPFire 2.x (Latest Update) on x86_64 Intel Bay Trail CPU, 4GiB RAM, RED + GREEN + BLUE + ORANGE

bloater99
Posts: 482
Joined: October 13th, 2014, 3:47 pm

Re: Suricata vs Guardian: Loss of IP blocking

Post by bloater99 » May 21st, 2019, 6:41 pm

I noticed that too. It would be nice to regain the ability to blacklist IPs that trigger IPS rules.
Image

Image

dnl
Posts: 375
Joined: June 28th, 2013, 11:03 am

Re: Suricata vs Guardian: Loss of IP blocking

Post by dnl » May 27th, 2019, 4:34 am

I did a quick search of IPFire Bugzilla but couldn't find this. Since we've not had a response from the devs here I'll raise a bug. Hopefully it will be considered seriously.

https://bugzilla.ipfire.org/show_bug.cgi?id=12089
IPFire 2.x (Latest Update) on x86_64 Intel Bay Trail CPU, 4GiB RAM, RED + GREEN + BLUE + ORANGE

teejay
Posts: 20
Joined: August 19th, 2016, 5:52 pm

Re: Suricata vs Guardian: Loss of IP blocking

Post by teejay » May 27th, 2019, 7:02 am

Second this. Banning a IP based on certain Rules is essential for Security. This function should be somehow enabled and return to Guardian.

dnl
Posts: 375
Joined: June 28th, 2013, 11:03 am

Re: Suricata vs Guardian: Loss of IP blocking

Post by dnl » May 28th, 2019, 9:37 am

Well, Michael was somewhat blunt in his response to the ticket. It's a pity because I feel he's overlooking the legitimate value of this feature to some networks. I fully recognise that it is of no use to others, but it was always optional and not on by default.

While I didn't intent to raise a discussion in a bug report, I hadn't had any reply to this thread and a long-standing feature was removed without documentation. I thought that in the circumstances it was reasonable to report a bug. ¯\_(ツ)_/¯
IPFire 2.x (Latest Update) on x86_64 Intel Bay Trail CPU, 4GiB RAM, RED + GREEN + BLUE + ORANGE

BeBiMa
Posts: 2842
Joined: July 30th, 2011, 12:55 pm
Location: Mannheim

Re: Suricata vs Guardian: Loss of IP blocking

Post by BeBiMa » May 28th, 2019, 12:08 pm

As Michael stated in bugzilla, the discussion should also take place in the development mailing list.
The forum reaches the broad audience of all users, but isn't read sometimes by the core developpers.
The mailing list is read more frequent read by those guys, which can/will implement these features.

- Bernhard
Image
Unitymedia Cable Internet ( 32MBit )

dnl
Posts: 375
Joined: June 28th, 2013, 11:03 am

Re: Suricata vs Guardian: Loss of IP blocking

Post by dnl » June 8th, 2019, 2:06 am

BeBiMa wrote:
May 28th, 2019, 12:08 pm
As Michael stated in bugzilla, the discussion should also take place in the development mailing list.
The forum reaches the broad audience of all users, but isn't read sometimes by the core developpers.
The mailing list is read more frequent read by those guys, which can/will implement these features.

- Bernhard
Hello,
I am aware of that now, but did not know that at the time.

Mailing lists are good for developers wanting to keep across everything, but very annoying for those of us who only want to report/discuss one issue. Also, what is the point of the developer section of these forums?


Michael's argument in the bugzilla has some good points, but has a few security issues he's overlooked. I'm not sure I can be bothered replying though.
IPFire 2.x (Latest Update) on x86_64 Intel Bay Trail CPU, 4GiB RAM, RED + GREEN + BLUE + ORANGE

Post Reply