Suricata Broke (Almost) My Internet

suricata
v7

(Eddie Atherton) #1

NethServer Version: NS7
Module: suricata

A few days ago I allowed these updates:

Jan 06 15:33:20 Updated: dracut-033-502.el7_4.1.x86_64
Jan 06 15:33:22 Installed: libprelude-4.0.0-1.el7.x86_64
Jan 06 15:33:22 Installed: hiredis-0.12.1-1.el7.x86_64
Jan 06 15:33:23 Updated: suricata-4.0.3-1.el7.x86_64
Jan 06 15:33:23 Updated: dracut-config-rescue-033-502.el7_4.1.x86_64
Jan 06 15:33:24 Updated: dracut-network-033-502.el7_4.1.x86_64
Jan 06 15:33:25 Updated: pulledpork-0.7.3-1.el7.noarch

A couple of days after that, yesterday in fact, I noticed these e-mails which I’d been receiving since:

You are not using the current version of pulledpork.conf!
Please use the version of pulledpork.conf that shipped with PulledPork v0.7.3!

 at /usr/bin/pulledpork line 1769.

A quick couple of checks made me think that I needed to rebuild the following to correct the version number coded in that file:

expand-template /etc/pulledpork/pulledpork.conf

Well, that evidently ran overnight via cron as it should, this time with no errors. But what met me this morning was a disaster.

Around 60% - 70% of all websites I tried to connect to, including this support site, all failed with “Connection has been reset”. Three separate VPN applications on three different laptops to three different corporate servers all refused to connect.

Eventually, clutching at straws, I turned off suricata from the NS interface and everything started running normally again.

I only have the following rules set to block: FTP, malware, SCAN, SMTP, Trojan, VOIP, and Web Server.

This appears to be excessively aggressive behaviour that I hadn’t seen in months of previous running. What rules do most other people run.

Cheers.


IPS Network Problem
(Michael Träumner) #2

@filippo_carletti Do you have an idea?


IPS Network Problem
(Filippo Carletti) #3

It could be a false positive for some rules. Please check EveBox Events for details. You may report problems with a signature at the link on the top right evebox page.

The trojan category should NOT be set to Block.
IMO, the only “safe” categories to block are:
ET-botcc.portgrouped
ET-botcc
ET-ciarmy
ET-compromised
ET-drop
ET-dshield

Categories that can be blocked in most networks:
ET-emerging-activex
ET-emerging-attack_response
ET-emerging-dos
ET-emerging-exploit
ET-emerging-malware
ET-emerging-netbios

The rest set to alert.


IPS Network Problem
(Walter Ferry Dissmann) #4

Yup, same happend to me. After updates… Disabled and everything is now normal.

Btw, i did only “alert” trojan here, and that was it to fix it