IPS Network Problem

suricata
ips
v7

(Federico Ballarini) #1

NethServer Version: 7
Module: IPS

When I enable IPS system the network doesnt’ works. If I disable it all works fine.
It’s an IPS bug or it’s a malware on my network?
Anyone has got this problem?


Suricata block all traffic https
(Markus Neuberger) #2

No, IPS running without problems here. Do you see block entries in Evebox? Are errors in the logfiles /var/log/messages or /var/log/suricata/*?


(Federico Ballarini) #3

I have the same problem on two differents firewalls…


(Giacomo Sanchietti) #4

You need to tweak the IPS configuration by enabling or disabling various rule sets accordingly to your environment,

Please take a look to the manual to know what is the behavior of each rule category (http://docs.nethserver.org/en/v7/suricata.html#ips-suricata).

Also use EveBox, or look inside the logs pointed out by Markus to see what traffic is blocked and why.

Please consider that an IPS is a complex tool and you need to deeply understand networking and traffic filtering before tuning Suricata configuration.


(Federico Ballarini) #5

IPS worked fine until saturday… today it doesn’t work and rules are always the same.
I don’t remember if yesterday evening there was an update or not.


(Giacomo Sanchietti) #6

Please check /var/log/cron and /var/log/yum.log and see it nethserver-pulledpork has been updated (see https://github.com/NethServer/nethserver-pulledpork/pull/7).

If so, could you post relevant part of logs to see if any error occurred?


(Federico Ballarini) #7

Yesterday evening updates was:

Jan 14 23:00:17 Updated: pfring-7.1.0-1681.x86_64
Jan 14 23:00:19 Updated: ntopng-data-3.3.180109-3804.noarch
Jan 14 23:00:22 Installed: ntopng-3.3.180109-3804.x86_64
Jan 14 23:00:22 Installed: nethserver-ntopng-2.1.0-1.ns7.noarch
Jan 14 23:00:22 Updated: nethserver-sssd-1.3.5-1.ns7.noarch
Jan 14 23:00:22 Updated: nethserver-pulledpork-2.1.2-1.ns7.noarch
Jan 14 23:00:22 Erased: ntopng-pcap-3.1.170812-3152.el7.centos.x86_64


(Federico Ballarini) #8

There are some problems on one of this updates?


(Markus Neuberger) #9

I also updated and everything is working so far.

Jan 13 04:01:17 Updated: nethserver-pulledpork.noarch 2.1.2-1.ns7

Can you please check /var/log/suricata/fast.log or Evebox to see which rule blocks your network traffic?


(Federico Ballarini) #10

It was category DELETED: I have change to Alarm but doesn’t work.


(Pasquale Inglese) #11

Hi Markus,
I have the same problem with ISP, it has anomalous behavior from yesterday.

ISP is blocking everything that normally worked. The OpenVPN client also detects it as a trojan

01/14/2018-19:12:12.641205  [Drop] [**] [1:2009206:4] ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4) [**] [Classification: A Network Trojan was detected] [Priority: 1] {UDP} ...

ISP had never done it before.


(Pasquale Inglese) #12

It blocks the connections between external DNS and NS.
Never blocked before today.

The ISP configurations have not been changed I have only updated.

01/15/2018-13:37:29.861972 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:37:34.864795 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:37:40.933204 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:37:53.943631 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:37:58.944839 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:04.923913 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:17.636564 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:18.547584 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:18.572829 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:19.638377 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:21.573975 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:21.574404 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:22.638169 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:25.574221 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:25.574444 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:28.782735 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:29.577889 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:29.603190 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:30.605567 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:32.603833 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:32.604321 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:36.604775 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:36.606805 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:43.788041 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:43.789587 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …


(Markus Neuberger) #13

Is DELETED the only blocked category in the logfile? What about setting it to “disable”?

Is it only the TROJAN category? Does setting it to “Alarm” work?


(Giacomo Sanchietti) #14

I can confirm that the package update doesn’t break ours installations.

As pointed out by @pasing, probably something changed inside the rules.


(Pasquale Inglese) #15

I have extracted some examples from /var/log/suricata/fast.log:

ET DELETED Nginx Server in use - Often Hostile Traffic
"hostname": “ocsp.int-x3.letsencrypt.org

ET DNS Standard query response, Name Error

ET DELETED Likely Binary in HTTP by Type Flowbit
"hostname": “www.shallalist.de

ET USER_AGENTS Go HTTP Client User-Agent
"hostname": “static.nvd.nist.gov”,

ET DELETED Tomcat Successful default credential login from external source

@giacomo @mrmarkuz do you have any suggestions for solving the problem?


(Federico Ballarini) #16

I have the same problem of @pasing. If you disabled DNS category does it works?


(Eddie Atherton) #17

I reported this almost a week ago here.

I included a list of the rules I had active at the time.

Cheers.


(Markus Neuberger) #18

It seems the rules are more strict now so easiest way is to set the blocked categories to “Alert”.


(Federico Ballarini) #19

Is this the solution?


(Markus Neuberger) #20

No, it’s just a workaround to make networking available again. I am afraid there is no easy solution. You have to update to catch the newest threats but these updates may change IPS behaviour.