Project

General

Profile

Actions

Regression #12476

open

Suricata 6.0.3_3 Pass List ignores all single IPs

Added by Steve Yates about 1 month ago. Updated 30 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Suricata
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
21.05.1
Affected Architecture:
All

Description

After upgrading pfSense-pkg-suricata from 6.0.0_14 to 6.0.3_3 all Pass List entries for single IPs are ignored and not listed. I've replicated this on a 3100/21.05.1 and a PC/2.5.2.

Setup:
Pass List is set to use alias Suricata_Trusted_Hosts. Alias Suricata_Trusted_Hosts contains multiple aliases and IPs. One of the aliases is a Network type (64.x.x.148/29 and 74.x.x.0/25), the rest are single IPs or an alias for single IPs.

Before upgrade (note this includes configured DNS servers (Quad9) and gateways):
9.9.9.9
10.wan.subnet.1
10.wan.subnet.1/32
10.wan.subnet.42/32
10.lan.subnet.0/24
10.lan.subnet.2
50.x.x.105
64.x.x.148/29
74.x.x.0/25
74.x.x.41
127.0.0.1/32
149.112.112.112
173.isp.subnet.46
2001:x:x:233::2/128
2001:x:y:233::/64
2620:fe::9
2620:fe::9/128
2620:fe::fe
2620:fe::fe/128
::1/128
fe80::6a05:caff:fe43:d869/128
fe80::d63d:7eff:feb2:56c4/128

After upgrade (all above single IPs missing):
10.wan.subnet.1/32
10.wan.subnet.42/32
10.lan.subnet.0/24
64.x.x.148/29
74.x.x.0/25
127.0.0.1/32
2001:x:x:233::2/128
2001:x:y:233::/64
2620:fe::9/128
2620:fe::fe/128
::1/128
fe80::6a05:caff:fe43:d869/128
fe80::d63d:7eff:feb2:56c4/128

Change alias type of Suricata_Trusted_Hosts from Host(s) to Network(s) (and Save, and Apply) and the View List button shows this, with all single IPs in that alias now listed as /32s:
10.wan.subnet.1/32
10.wan.subnet.42/32
10.lan.subnet.0/24
10.lan.subnet.2/32
64.x.x.148/29
74.x.x.0/25
127.0.0.1/32
173.isp.subnet.46/32
2001:x:x:233::2/128
2001:x:y:233::/64
2620:fe::9/128
2620:fe::fe/128
::1/128
fe80::6a05:caff:fe43:d869/128
fe80::d63d:7eff:feb2:56c4/128

Change the Quad9 alias from Host(s) to Network(s), View List shows:
9.9.9.9/32
10.wan.subnet.1/32
10.wan.subnet.42/32
10.lan.subnet.0/24
10.lan.subnet.2/32
64.x.x.148/29
74.x.x.0/25
127.0.0.1/32
149.112.112.112/32
173.isp.subnet.46/32
2001:x:x:233::2/128
2001:x:y:233::/64
2620:fe::9/128
2620:fe::fe/128
::1/128
fe80::6a05:caff:fe43:d869/128
fe80::d63d:7eff:feb2:56c4/128

Change remaining Host(s) alias from Host(s) to Network(s), View List shows:
9.9.9.9/32
10.wan.subnet.1/32
10.wan.subnet.42/32
10.lan.subnet.0/24
10.lan.subnet.2/32
50.x.x.105/32
64.x.x.148/29
74.x.x.0/25
74.x.x.41/32
127.0.0.1/32
149.112.112.112/32
173.isp.subnet.46/32
2001:x:x:233::2/128
2001:x:y:233::/64
2620:fe::9/128
2620:fe::fe/128
::1/128
fe80::6a05:caff:fe43:d869/128
fe80::d63d:7eff:feb2:56c4/128

Note this is still not the same as the first list above since it is not including DNS servers, gateways, etc. by default (2620:fe::9 and 2620:fe::9/128). I understand this isn't necessary but my point is it is omitting those by default unless one adds them to the pass list manually.

Forum thread: [[https://forum.netgate.com/topic/167297/suricata-pass-list-missing-some-ips/]]


Related issues

Related to Bug #12322: Suricata creates invalid HOME_NET entriesFeedbackViktor Gurov

Actions
Actions #1

Updated by Steve Yates about 1 month ago

Edit: I have a 2100/21.05.1 with the latest Snort 4.1.4_3 and it doesn't have this issue.

Actions #2

Updated by Steve Yates about 1 month ago

I did not try intermediate versions between 6.0.0_14 and 6.0.3_3, just installed the latest, so I can't say when this started. I know it wasn't an issue on 6.0.0_14 on the 2.5.2 router, or others on 6.0.0_14/21.05.1 I've looked at today. To be more correct, the 3100 had previously had pfSense 2.4.4 and an older version of the Suricata package, which I had uninstalled, and reinstalled the latest version after upgrading.

Actions #3

Updated by Viktor Gurov about 1 month ago

  • Tracker changed from Bug to Regression
Actions #4

Updated by Viktor Gurov about 1 month ago

  • Related to Bug #12322: Suricata creates invalid HOME_NET entries added
Actions #5

Updated by Aren Breur about 1 month ago

I am running 2.6.0-DEVELOPMENT (amd64). a network with /15 also does NOT work. I made it to 2 /16 networks that works fine
the /15 does show in the tooltip. but hosts still get blocked.

Actions #6

Updated by Bill Meeks 30 days ago

Aren Breur wrote in #note-5:

I am running 2.6.0-DEVELOPMENT (amd64). a network with /15 also does NOT work. I made it to 2 /16 networks that works fine
the /15 does show in the tooltip. but hosts still get blocked.

This might not be the same issue as the one this ticket was created for. If your subnet shows in the Tooltip pop-up dialog, that indicates the GUI code correctly processed it. But if you are still getting blocks, it could be one of these two possibilities:

  1. Suricata has not been restarted after making a change to a Pass List assignment;
  2. The Radix Tree code within the Suricata binary, which is used by the Pass List logic to test if a given IP address from an alert falls within a Pass List covered network, is not correctly processing the /15 subnet.

Can you share the exact network specification you are using that fails? If it turns out that Possibility #2 is the issue, then please open a separate Redmine Issue for tracking that problem.

Thanks,
Bill

Actions

Also available in: Atom PDF