IPS Network Problem

Please check /var/log/cron and /var/log/yum.log and see it nethserver-pulledpork has been updated (see pulledpork.conf: use rules optimized for suricata 4.0 by filippocarletti · Pull Request #7 · NethServer/nethserver-pulledpork · GitHub).

If so, could you post relevant part of logs to see if any error occurred?

1 Like

Yesterday evening updates was:

Jan 14 23:00:17 Updated: pfring-7.1.0-1681.x86_64
Jan 14 23:00:19 Updated: ntopng-data-3.3.180109-3804.noarch
Jan 14 23:00:22 Installed: ntopng-3.3.180109-3804.x86_64
Jan 14 23:00:22 Installed: nethserver-ntopng-2.1.0-1.ns7.noarch
Jan 14 23:00:22 Updated: nethserver-sssd-1.3.5-1.ns7.noarch
Jan 14 23:00:22 Updated: nethserver-pulledpork-2.1.2-1.ns7.noarch
Jan 14 23:00:22 Erased: ntopng-pcap-3.1.170812-3152.el7.centos.x86_64

There are some problems on one of this updates?

1 Like

I also updated and everything is working so far.

Jan 13 04:01:17 Updated: nethserver-pulledpork.noarch 2.1.2-1.ns7

Can you please check /var/log/suricata/fast.log or Evebox to see which rule blocks your network traffic?

It was category DELETED: I have change to Alarm but doesn’t work.

Hi Markus,
I have the same problem with ISP, it has anomalous behavior from yesterday.

ISP is blocking everything that normally worked. The OpenVPN client also detects it as a trojan

01/14/2018-19:12:12.641205  [Drop] [**] [1:2009206:4] ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4) [**] [Classification: A Network Trojan was detected] [Priority: 1] {UDP} ...

ISP had never done it before.

1 Like

It blocks the connections between external DNS and NS.
Never blocked before today.

The ISP configurations have not been changed I have only updated.

01/15/2018-13:37:29.861972 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:37:34.864795 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:37:40.933204 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:37:53.943631 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:37:58.944839 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:04.923913 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:17.636564 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:18.547584 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:18.572829 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:19.638377 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:21.573975 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:21.574404 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:22.638169 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:25.574221 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:25.574444 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:28.782735 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:29.577889 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:29.603190 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:30.605567 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:32.603833 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:32.604321 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:36.604775 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:36.606805 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:43.788041 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …
01/15/2018-13:38:43.789587 [Drop] [] [1:2001117:6] ET DNS Standard query response, Name Error [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} …

Is DELETED the only blocked category in the logfile? What about setting it to “disable”?

Is it only the TROJAN category? Does setting it to “Alarm” work?

I can confirm that the package update doesn’t break ours installations.

As pointed out by @pasing, probably something changed inside the rules.

I have extracted some examples from /var/log/suricata/fast.log:

ET DELETED Nginx Server in use - Often Hostile Traffic
"hostname": “ocsp.int-x3.letsencrypt.org

ET DNS Standard query response, Name Error

ET DELETED Likely Binary in HTTP by Type Flowbit
"hostname": “www.shallalist.de

ET USER_AGENTS Go HTTP Client User-Agent
"hostname": “static.nvd.nist.gov”,

ET DELETED Tomcat Successful default credential login from external source

@giacomo @mrmarkuz do you have any suggestions for solving the problem?

I have the same problem of @pasing. If you disabled DNS category does it works?

I reported this almost a week ago here.

I included a list of the rules I had active at the time.

Cheers.

It seems the rules are more strict now so easiest way is to set the blocked categories to “Alert”.

1 Like

Is this the solution?

No, it’s just a workaround to make networking available again. I am afraid there is no easy solution. You have to update to catch the newest threats but these updates may change IPS behaviour.

Yesterday i apply this update:
Jan 13 04:01:17 Updated: nethserver-pulledpork.noarch 2.1.2-1.ns7

And today when try connect via openvpn, the conecction is sucessfull but i can access to the
resources of my lan, and check the everbox inbox and see this:

BLOCKED ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4) [**] [Classification: A Network Trojan was detected] [Priority: 1] {UDP} …

All by the port 1194.

So i disable the suricata service and everithyng is work fine again.

My question is that blocked is a false positive, because i try via smarthphone and the same result.

1 Like

I assume it’s a false positive as @pasing reported similar behaviour:

1 Like

The problem immobilizes NS. After the update, if I keep setting the rule blocks on trojan when I try to access the VPS the system goes to lock and doesn’t work even on the server-manager side. Web pages do not load. Everything returns normally if I disconnect the client.

Set to the alarm is an invalid solution in terms of security. It’s useful only for a buffer solution.

The rule that blocks OpenVPN client is this: http://doc.emergingthreats.net/2009206

1 Like

Anyone has got a solution?
I have to set rules (DNS,DELETED,USER_AGENT) on Alarm?

This is my log.
Category DNS, DELETED, USER_AGENT are already set on Alarm.

01/15/2018-09:24:05.005962 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 2.20.251.27:80 -> 192.168.1.2:36478
01/15/2018-09:24:05.350406 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 212.73.221.199:80 -> 192.168.1.2:37762
01/15/2018-09:24:05.606746 [Drop] [] [1:2002750:27] ET DELETED Reserved IP Space Traffic - Bogon Nets 2 [] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 104.106.86.135:443 -> 192.168.1.2:33380
01/15/2018-09:24:06.172086 [Drop] [] [1:2002750:27] ET DELETED Reserved IP Space Traffic - Bogon Nets 2 [] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 104.16.207.165:443 -> 192.168.1.2:52072
01/15/2018-09:24:06.177960 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 172.217.23.78:80 -> 192.168.8.251:9130
01/15/2018-09:24:06.212958 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 172.217.23.78:80 -> 192.168.8.251:9131
01/15/2018-09:24:06.222750 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 216.58.205.46:80 -> 192.168.8.251:9132
01/15/2018-09:24:06.465201 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 2.20.251.27:80 -> 192.168.1.2:36504
01/15/2018-09:24:06.586432 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 2.20.251.35:80 -> 192.168.1.2:47288
01/15/2018-09:24:06.755024 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 193.45.6.13:80 -> 192.168.1.2:44558
01/15/2018-09:24:07.138333 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 212.73.221.205:80 -> 192.168.1.2:49148
01/15/2018-09:24:07.248673 [Drop] [] [1:2008054:7] ET DELETED Nginx Server in use - Often Hostile Traffic [] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 89.238.68.201:80 -> 192.168.1.2:34776
01/15/2018-09:24:07.526212 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 204.79.197.223:80 -> 192.168.1.2:35118
01/15/2018-09:24:07.736948 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 2.20.251.27:80 -> 192.168.1.2:36538
01/15/2018-09:24:07.988301 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 193.45.6.7:80 -> 192.168.1.2:41878
01/15/2018-09:24:08.015995 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 37.48.82.67:80 -> 192.168.1.2:39018
01/15/2018-09:24:08.139694 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 94.75.236.122:80 -> 192.168.1.2:59074
01/15/2018-09:24:08.305304 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 195.122.169.7:80 -> 192.168.1.2:34126
01/15/2018-09:24:08.346769 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 80.231.123.131:80 -> 192.168.1.2:43956
01/15/2018-09:24:08.457304 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 195.122.169.18:80 -> 192.168.1.2:40146
01/15/2018-09:24:08.601482 [Drop] [] [1:2002750:27] ET DELETED Reserved IP Space Traffic - Bogon Nets 2 [] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 185.26.182.117:443 -> 192.168.1.2:46782
01/15/2018-09:24:08.726988 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 193.45.6.7:80 -> 192.168.1.2:41906
01/15/2018-09:24:08.893996 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 2.20.251.27:80 -> 192.168.1.2:36572
01/15/2018-09:24:09.334481 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 37.48.82.67:80 -> 192.168.1.2:39050
01/15/2018-09:24:09.475456 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 37.48.82.67:80 -> 192.168.1.2:39054
01/15/2018-09:24:09.507773 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 193.45.6.7:80 -> 192.168.1.2:41918
01/15/2018-09:24:09.552478 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 80.239.174.47:80 -> 192.168.1.2:52382
01/15/2018-09:24:09.637261 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 80.239.174.47:80 -> 192.168.1.2:52386
01/15/2018-09:24:09.801301 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 80.231.123.131:80 -> 192.168.1.2:43994
01/15/2018-09:24:09.904974 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 193.45.6.7:80 -> 192.168.1.2:41932
01/15/2018-09:24:10.261262 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 193.45.6.7:80 -> 192.168.1.2:41940
01/15/2018-09:24:10.346685 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 37.48.82.67:80 -> 192.168.1.2:39084
01/15/2018-09:24:10.531719 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 2.20.251.35:80 -> 192.168.1.2:47404
01/15/2018-09:24:10.607371 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 2.20.251.35:80 -> 192.168.1.2:47406
01/15/2018-09:24:10.797104 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 2.20.251.11:80 -> 192.168.1.2:55228
01/15/2018-09:24:10.860939 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 212.73.221.199:80 -> 192.168.1.2:37908
01/15/2018-09:24:10.870938 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 23.50.149.163:80 -> 192.168.1.2:50586
01/15/2018-09:24:10.961451 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 80.239.174.47:80 -> 192.168.1.2:52430
01/15/2018-09:24:11.047211 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 195.122.169.18:80 -> 192.168.1.2:40220
01/15/2018-09:24:11.186432 [Drop] [] [1:2002750:27] ET DELETED Reserved IP Space Traffic - Bogon Nets 2 [] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 104.244.46.167:443 -> 192.168.1.2:54182
01/15/2018-09:24:11.264202 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 195.122.169.7:80 -> 192.168.1.2:34216
01/15/2018-09:24:11.321900 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 80.239.197.103:80 -> 192.168.1.2:39408
01/15/2018-09:24:11.671958 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 37.48.82.67:80 -> 192.168.1.2:39128
01/15/2018-09:24:11.723180 [Drop] [] [1:2007670:10] ET DELETED Likely Binary in HTTP by Type Flowbit [] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 93.184.220.29:80 -> 192.168.1.2:50744