NethServer Version: NS7
Module: suricata
A few days ago I allowed these updates:
Jan 06 15:33:20 Updated: dracut-033-502.el7_4.1.x86_64
Jan 06 15:33:22 Installed: libprelude-4.0.0-1.el7.x86_64
Jan 06 15:33:22 Installed: hiredis-0.12.1-1.el7.x86_64
Jan 06 15:33:23 Updated: suricata-4.0.3-1.el7.x86_64
Jan 06 15:33:23 Updated: dracut-config-rescue-033-502.el7_4.1.x86_64
Jan 06 15:33:24 Updated: dracut-network-033-502.el7_4.1.x86_64
Jan 06 15:33:25 Updated: pulledpork-0.7.3-1.el7.noarch
A couple of days after that, yesterday in fact, I noticed these e-mails which I’d been receiving since:
You are not using the current version of pulledpork.conf!
Please use the version of pulledpork.conf that shipped with PulledPork v0.7.3!
at /usr/bin/pulledpork line 1769.
A quick couple of checks made me think that I needed to rebuild the following to correct the version number coded in that file:
expand-template /etc/pulledpork/pulledpork.conf
Well, that evidently ran overnight via cron as it should, this time with no errors. But what met me this morning was a disaster.
Around 60% - 70% of all websites I tried to connect to, including this support site, all failed with “Connection has been reset”. Three separate VPN applications on three different laptops to three different corporate servers all refused to connect.
Eventually, clutching at straws, I turned off suricata from the NS interface and everything started running normally again.
I only have the following rules set to block: FTP, malware, SCAN, SMTP, Trojan, VOIP, and Web Server.
This appears to be excessively aggressive behaviour that I hadn’t seen in months of previous running. What rules do most other people run.
Cheers.