Regression #12476
closed
Suricata 6.0.3_3 Pass List ignores all single IPs
0%
Description
After upgrading pfSense-pkg-suricata from 6.0.0_14 to 6.0.3_3 all Pass List entries for single IPs are ignored and not listed. I've replicated this on a 3100/21.05.1 and a PC/2.5.2.
Setup:
Pass List is set to use alias Suricata_Trusted_Hosts. Alias Suricata_Trusted_Hosts contains multiple aliases and IPs. One of the aliases is a Network type (64.x.x.148/29 and 74.x.x.0/25), the rest are single IPs or an alias for single IPs.
Before upgrade (note this includes configured DNS servers (Quad9) and gateways):
9.9.9.9
10.wan.subnet.1
10.wan.subnet.1/32
10.wan.subnet.42/32
10.lan.subnet.0/24
10.lan.subnet.2
50.x.x.105
64.x.x.148/29
74.x.x.0/25
74.x.x.41
127.0.0.1/32
149.112.112.112
173.isp.subnet.46
2001:x:x:233::2/128
2001:x:y:233::/64
2620:fe::9
2620:fe::9/128
2620:fe::fe
2620:fe::fe/128
::1/128
fe80::6a05:caff:fe43:d869/128
fe80::d63d:7eff:feb2:56c4/128
After upgrade (all above single IPs missing):
10.wan.subnet.1/32
10.wan.subnet.42/32
10.lan.subnet.0/24
64.x.x.148/29
74.x.x.0/25
127.0.0.1/32
2001:x:x:233::2/128
2001:x:y:233::/64
2620:fe::9/128
2620:fe::fe/128
::1/128
fe80::6a05:caff:fe43:d869/128
fe80::d63d:7eff:feb2:56c4/128
Change alias type of Suricata_Trusted_Hosts from Host(s) to Network(s) (and Save, and Apply) and the View List button shows this, with all single IPs in that alias now listed as /32s:
10.wan.subnet.1/32
10.wan.subnet.42/32
10.lan.subnet.0/24
10.lan.subnet.2/32
64.x.x.148/29
74.x.x.0/25
127.0.0.1/32
173.isp.subnet.46/32
2001:x:x:233::2/128
2001:x:y:233::/64
2620:fe::9/128
2620:fe::fe/128
::1/128
fe80::6a05:caff:fe43:d869/128
fe80::d63d:7eff:feb2:56c4/128
Change the Quad9 alias from Host(s) to Network(s), View List shows:
9.9.9.9/32
10.wan.subnet.1/32
10.wan.subnet.42/32
10.lan.subnet.0/24
10.lan.subnet.2/32
64.x.x.148/29
74.x.x.0/25
127.0.0.1/32
149.112.112.112/32
173.isp.subnet.46/32
2001:x:x:233::2/128
2001:x:y:233::/64
2620:fe::9/128
2620:fe::fe/128
::1/128
fe80::6a05:caff:fe43:d869/128
fe80::d63d:7eff:feb2:56c4/128
Change remaining Host(s) alias from Host(s) to Network(s), View List shows:
9.9.9.9/32
10.wan.subnet.1/32
10.wan.subnet.42/32
10.lan.subnet.0/24
10.lan.subnet.2/32
50.x.x.105/32
64.x.x.148/29
74.x.x.0/25
74.x.x.41/32
127.0.0.1/32
149.112.112.112/32
173.isp.subnet.46/32
2001:x:x:233::2/128
2001:x:y:233::/64
2620:fe::9/128
2620:fe::fe/128
::1/128
fe80::6a05:caff:fe43:d869/128
fe80::d63d:7eff:feb2:56c4/128
Note this is still not the same as the first list above since it is not including DNS servers, gateways, etc. by default (2620:fe::9 and 2620:fe::9/128). I understand this isn't necessary but my point is it is omitting those by default unless one adds them to the pass list manually.
Forum thread: [[https://forum.netgate.com/topic/167297/suricata-pass-list-missing-some-ips/]]
Related issues
Updated by Steve Y over 2 years ago
Edit: I have a 2100/21.05.1 with the latest Snort 4.1.4_3 and it doesn't have this issue.
Updated by Steve Y over 2 years ago
I did not try intermediate versions between 6.0.0_14 and 6.0.3_3, just installed the latest, so I can't say when this started. I know it wasn't an issue on 6.0.0_14 on the 2.5.2 router, or others on 6.0.0_14/21.05.1 I've looked at today. To be more correct, the 3100 had previously had pfSense 2.4.4 and an older version of the Suricata package, which I had uninstalled, and reinstalled the latest version after upgrading.
Updated by Viktor Gurov over 2 years ago
- Tracker changed from Bug to Regression
Updated by Viktor Gurov over 2 years ago
- Related to Bug #12322: Suricata creates invalid HOME_NET entries added
Updated by Aren Breur over 2 years ago
I am running 2.6.0-DEVELOPMENT (amd64). a network with /15 also does NOT work. I made it to 2 /16 networks that works fine
the /15 does show in the tooltip. but hosts still get blocked.
Updated by Bill Meeks over 2 years ago
Aren Breur wrote in #note-5:
I am running 2.6.0-DEVELOPMENT (amd64). a network with /15 also does NOT work. I made it to 2 /16 networks that works fine
the /15 does show in the tooltip. but hosts still get blocked.
This might not be the same issue as the one this ticket was created for. If your subnet shows in the Tooltip pop-up dialog, that indicates the GUI code correctly processed it. But if you are still getting blocks, it could be one of these two possibilities:
- Suricata has not been restarted after making a change to a Pass List assignment;
- The Radix Tree code within the Suricata binary, which is used by the Pass List logic to test if a given IP address from an alert falls within a Pass List covered network, is not correctly processing the /15 subnet.
Can you share the exact network specification you are using that fails? If it turns out that Possibility #2 is the issue, then please open a separate Redmine Issue for tracking that problem.
Thanks,
Bill
Updated by Steve Y over 2 years ago
As far as feedback from me, I had posted in the forum thread but apparently not here. Manually making the code change worked for me.
Updated by