Suricata rule category "policy" blocks yum

v7
suricata

(Markus Neuberger) #1

NethServer Version: 7.4.1708
Module: Suricata IPS

Hi Community,

I found an interesting behaviour in suricata. If I block “Policy” rule category, yum is blocked. Yum-cron is affected too. In evebox I see:

ET POLICY GNU/Linux YUM User-Agent Outbound likely related to package management

Yum update does not work:

[root@nethserver markus]# yum update
Geladene Plugins: changelog, fastestmirror, nethserver_events, priorities
Could not retrieve mirrorlist http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=os&infra=stock error was
12: Timeout on http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=os&infra=stock: (28, 'Operation too slow. Less than 1000 bytes/sec transferred the last 30 seconds')

Maybe it’s because I just have one green network interface and suricata wants to block client network yum updates?
OK, so just set “Policy” to “Alert” but the problem is that the policy category also includes things like

which I do want to block. All other rule categories I set to block work like a charm. Is there a way to block server attacks and to allow yum?


WSUS and IPS, port range
#2

I don’t use NS for ips… with that in mind, I will say that et policy is not a category I would block.
If your server isn’t vulnerable to poodle, and it should be patched, then that’s not a rule to be concerned with, as is all the rest of the traffic probing for content management vulnerabilities, etc.

Would you want to block this; “ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)”?
or this; “ET POLICY PE EXE or DLL Windows file download”?

Because if you do, you’re going to create a world of hurt for yourself with any windows machines behind your gateway.


(Markus Neuberger) #3

Thanks for this info, I thought there may be really bad attacks in this category.
It’s a managed host, so there are no windows clients just this host with green interface, maybe not a regular scenario for IPS. I hoped I could find a kind of IPS rule whitelist, but I found nothing except of IP whitelisting which is really hard with mirrorlists…

EDIT:

I solved it in a dirty way but changing something in IPS settings in web UI will revert my settings :frowning2:
I set “policy” to block in web UI and set the yum rule in /etc/suricata/rules/ET-emerging-policy.rules to “alert” instead of “drop”.

I tried with templates-custom…but no luck on this.

Tried it on another Nethserver VM with red and green interface but same blocked yum on blocked “policy” rule.


IPS Network Problem
(Filippo Carletti) #4

I agree with @fasttech, you should not block the policy category.


(Markus Neuberger) #5

Thanks for your recommendations… Just alerting instead of blocking is ok for me and solves it. But what do you think about a line in the wiki/docs about this?

http://docs.nethserver.org/en/v7/suricata.html

Like blocking not recommended, because of client/server updates or libs may be blocked?


(Filippo Carletti) #6

Done. Hope it’s clear enough.


(Markus Neuberger) #7

Perfect, thank you.


(Aaron) #8

I have a very similar problem to that one of @mrmarkuz
exactly the same error messages…

I also use suricata. when I turn it off, yum and wget work perfectly fine… however when I turn it on, I get the timeout message mentioned by @mrmarkuz
however, I already set the “policy” ruleset to alert. neither yum nor wget is working correctly (especially yum… wget is working as long as I don’t try to download the repo file manually).

I don’t know which ruleset of suricata blocks it in my case… any ideas? or how can I see it?


(Markus Neuberger) #9

You may use evebox to see which categories are blocked:

http://docs.nethserver.org/en/v7/suricata.html#evebox