NethServer Version: 7
Module: IPS
When I enable IPS system the network doesnt’ works. If I disable it all works fine.
It’s an IPS bug or it’s a malware on my network?
Anyone has got this problem?
No, IPS running without problems here. Do you see block entries in Evebox? Are errors in the logfiles /var/log/messages or /var/log/suricata/*?
1 Like
I have the same problem on two differents firewalls…
You need to tweak the IPS configuration by enabling or disabling various rule sets accordingly to your environment,
Please take a look to the manual to know what is the behavior of each rule category (http://docs.nethserver.org/en/v7/suricata.html#ips-suricata).
Also use EveBox, or look inside the logs pointed out by Markus to see what traffic is blocked and why.
Please consider that an IPS is a complex tool and you need to deeply understand networking and traffic filtering before tuning Suricata configuration.
IPS worked fine until saturday… today it doesn’t work and rules are always the same.
I don’t remember if yesterday evening there was an update or not.
Please check /var/log/cron and /var/log/yum.log and see it nethserver-pulledpork has been updated (see pulledpork.conf: use rules optimized for suricata 4.0 by filippocarletti · Pull Request #7 · NethServer/nethserver-pulledpork · GitHub).
If so, could you post relevant part of logs to see if any error occurred?
1 Like
Yesterday evening updates was:
Jan 14 23:00:17 Updated: pfring-7.1.0-1681.x86_64
Jan 14 23:00:19 Updated: ntopng-data-3.3.180109-3804.noarch
Jan 14 23:00:22 Installed: ntopng-3.3.180109-3804.x86_64
Jan 14 23:00:22 Installed: nethserver-ntopng-2.1.0-1.ns7.noarch
Jan 14 23:00:22 Updated: nethserver-sssd-1.3.5-1.ns7.noarch
Jan 14 23:00:22 Updated: nethserver-pulledpork-2.1.2-1.ns7.noarch
Jan 14 23:00:22 Erased: ntopng-pcap-3.1.170812-3152.el7.centos.x86_64
There are some problems on one of this updates?
1 Like
I also updated and everything is working so far.
Jan 13 04:01:17 Updated: nethserver-pulledpork.noarch 2.1.2-1.ns7
Can you please check /var/log/suricata/fast.log or Evebox to see which rule blocks your network traffic?
It was category DELETED: I have change to Alarm but doesn’t work.
Hi Markus,
I have the same problem with ISP, it has anomalous behavior from yesterday.
ISP is blocking everything that normally worked. The OpenVPN client also detects it as a trojan
01/14/2018-19:12:12.641205 [Drop] [**] [1:2009206:4] ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4) [**] [Classification: A Network Trojan was detected] [Priority: 1] {UDP} ...
ISP had never done it before.
1 Like
It blocks the connections between external DNS and NS.
Never blocked before today.
The ISP configurations have not been changed I have only updated.
01/15/2018-13:37:29.861972 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:37:34.864795 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:37:40.933204 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:37:53.943631 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:37:58.944839 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:04.923913 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:17.636564 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:18.547584 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:18.572829 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:19.638377 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:21.573975 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:21.574404 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:22.638169 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:25.574221 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:25.574444 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:28.782735 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:29.577889 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:29.603190 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:30.605567 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:32.603833 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:32.604321 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:36.604775 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:36.606805 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:43.788041 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:43.789587 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
Is DELETED the only blocked category in the logfile? What about setting it to “disable”?
Is it only the TROJAN category? Does setting it to “Alarm” work?
I can confirm that the package update doesn’t break ours installations.
As pointed out by @pasing, probably something changed inside the rules.
I have extracted some examples from /var/log/suricata/fast.log:
ET DELETED Nginx Server in use - Often Hostile Traffic
"hostname": “ocsp.int-x3.letsencrypt.org”
ET DNS Standard query response, Name Error
ET DELETED Likely Binary in HTTP by Type Flowbit
"hostname": “www.shallalist.de”
ET USER_AGENTS Go HTTP Client User-Agent
"hostname": “static.nvd.nist.gov”,
ET DELETED Tomcat Successful default credential login from external source
@giacomo @mrmarkuz do you have any suggestions for solving the problem?
I reported this almost a week ago here.
I included a list of the rules I had active at the time.
Cheers.
It seems the rules are more strict now so easiest way is to set the blocked categories to “Alert”.
1 Like
Is this the solution?
No, it’s just a workaround to make networking available again. I am afraid there is no easy solution. You have to update to catch the newest threats but these updates may change IPS behaviour.