IPS Network Problem

NethServer Version: 7
Module: IPS

When I enable IPS system the network doesnt’ works. If I disable it all works fine.
It’s an IPS bug or it’s a malware on my network?
Anyone has got this problem?

No, IPS running without problems here. Do you see block entries in Evebox? Are errors in the logfiles /var/log/messages or /var/log/suricata/*?

1 Like

I have the same problem on two differents firewalls…

You need to tweak the IPS configuration by enabling or disabling various rule sets accordingly to your environment,

Please take a look to the manual to know what is the behavior of each rule category (http://docs.nethserver.org/en/v7/suricata.html#ips-suricata).

Also use EveBox, or look inside the logs pointed out by Markus to see what traffic is blocked and why.

Please consider that an IPS is a complex tool and you need to deeply understand networking and traffic filtering before tuning Suricata configuration.

IPS worked fine until saturday… today it doesn’t work and rules are always the same.
I don’t remember if yesterday evening there was an update or not.

Please check /var/log/cron and /var/log/yum.log and see it nethserver-pulledpork has been updated (see https://github.com/NethServer/nethserver-pulledpork/pull/7).

If so, could you post relevant part of logs to see if any error occurred?

1 Like

Yesterday evening updates was:

Jan 14 23:00:17 Updated: pfring-7.1.0-1681.x86_64
Jan 14 23:00:19 Updated: ntopng-data-3.3.180109-3804.noarch
Jan 14 23:00:22 Installed: ntopng-3.3.180109-3804.x86_64
Jan 14 23:00:22 Installed: nethserver-ntopng-2.1.0-1.ns7.noarch
Jan 14 23:00:22 Updated: nethserver-sssd-1.3.5-1.ns7.noarch
Jan 14 23:00:22 Updated: nethserver-pulledpork-2.1.2-1.ns7.noarch
Jan 14 23:00:22 Erased: ntopng-pcap-3.1.170812-3152.el7.centos.x86_64

There are some problems on one of this updates?

1 Like

I also updated and everything is working so far.

Jan 13 04:01:17 Updated: nethserver-pulledpork.noarch 2.1.2-1.ns7

Can you please check /var/log/suricata/fast.log or Evebox to see which rule blocks your network traffic?

It was category DELETED: I have change to Alarm but doesn’t work.

Hi Markus,
I have the same problem with ISP, it has anomalous behavior from yesterday.

ISP is blocking everything that normally worked. The OpenVPN client also detects it as a trojan

01/14/2018-19:12:12.641205  [Drop] [**] [1:2009206:4] ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4) [**] [Classification: A Network Trojan was detected] [Priority: 1] {UDP} ...

ISP had never done it before.

1 Like

It blocks the connections between external DNS and NS.
Never blocked before today.

The ISP configurations have not been changed I have only updated.

01/15/2018-13:37:29.861972 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:37:34.864795 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:37:40.933204 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:37:53.943631 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:37:58.944839 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:04.923913 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:17.636564 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:18.547584 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:18.572829 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:19.638377 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:21.573975 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:21.574404 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:22.638169 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:25.574221 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:25.574444 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:28.782735 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:29.577889 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:29.603190 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:30.605567 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:32.603833 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:32.604321 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:36.604775 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:36.606805 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:43.788041 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:43.789587 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …

Is DELETED the only blocked category in the logfile? What about setting it to “disable”?

Is it only the TROJAN category? Does setting it to “Alarm” work?

I can confirm that the package update doesn’t break ours installations.

As pointed out by @pasing, probably something changed inside the rules.

I have extracted some examples from /var/log/suricata/fast.log:

ET DELETED Nginx Server in use - Often Hostile Traffic
"hostname": “ocsp.int-x3.letsencrypt.org

ET DNS Standard query response, Name Error

ET DELETED Likely Binary in HTTP by Type Flowbit
"hostname": “www.shallalist.de

ET USER_AGENTS Go HTTP Client User-Agent
"hostname": “static.nvd.nist.gov”,

ET DELETED Tomcat Successful default credential login from external source

@giacomo @mrmarkuz do you have any suggestions for solving the problem?

I have the same problem of @pasing. If you disabled DNS category does it works?

I reported this almost a week ago here.

I included a list of the rules I had active at the time.

Cheers.

It seems the rules are more strict now so easiest way is to set the blocked categories to “Alert”.

1 Like

Is this the solution?

No, it’s just a workaround to make networking available again. I am afraid there is no easy solution. You have to update to catch the newest threats but these updates may change IPS behaviour.