Project

General

Profile

Actions
Copy link

Regression #12476

closed

Suricata 6.0.3_3 Pass List ignores all single IPs

Added by Steve Y about 3 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Suricata
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
21.05.1
Affected Architecture:
All

Description

After upgrading pfSense-pkg-suricata from 6.0.0_14 to 6.0.3_3 all Pass List entries for single IPs are ignored and not listed. I've replicated this on a 3100/21.05.1 and a PC/2.5.2.

Setup:
Pass List is set to use alias Suricata_Trusted_Hosts. Alias Suricata_Trusted_Hosts contains multiple aliases and IPs. One of the aliases is a Network type (64.x.x.148/29 and 74.x.x.0/25), the rest are single IPs or an alias for single IPs.

Before upgrade (note this includes configured DNS servers (Quad9) and gateways):
9.9.9.9
10.wan.subnet.1
10.wan.subnet.1/32
10.wan.subnet.42/32
10.lan.subnet.0/24
10.lan.subnet.2
50.x.x.105
64.x.x.148/29
74.x.x.0/25
74.x.x.41
127.0.0.1/32
149.112.112.112
173.isp.subnet.46
2001:x:x:233::2/128
2001:x:y:233::/64
2620:fe::9
2620:fe::9/128
2620:fe::fe
2620:fe::fe/128
::1/128
fe80::6a05:caff:fe43:d869/128
fe80::d63d:7eff:feb2:56c4/128

After upgrade (all above single IPs missing):
10.wan.subnet.1/32
10.wan.subnet.42/32
10.lan.subnet.0/24
64.x.x.148/29
74.x.x.0/25
127.0.0.1/32
2001:x:x:233::2/128
2001:x:y:233::/64
2620:fe::9/128
2620:fe::fe/128
::1/128
fe80::6a05:caff:fe43:d869/128
fe80::d63d:7eff:feb2:56c4/128

Change alias type of Suricata_Trusted_Hosts from Host(s) to Network(s) (and Save, and Apply) and the View List button shows this, with all single IPs in that alias now listed as /32s:
10.wan.subnet.1/32
10.wan.subnet.42/32
10.lan.subnet.0/24
10.lan.subnet.2/32
64.x.x.148/29
74.x.x.0/25
127.0.0.1/32
173.isp.subnet.46/32
2001:x:x:233::2/128
2001:x:y:233::/64
2620:fe::9/128
2620:fe::fe/128
::1/128
fe80::6a05:caff:fe43:d869/128
fe80::d63d:7eff:feb2:56c4/128

Change the Quad9 alias from Host(s) to Network(s), View List shows:
9.9.9.9/32
10.wan.subnet.1/32
10.wan.subnet.42/32
10.lan.subnet.0/24
10.lan.subnet.2/32
64.x.x.148/29
74.x.x.0/25
127.0.0.1/32
149.112.112.112/32
173.isp.subnet.46/32
2001:x:x:233::2/128
2001:x:y:233::/64
2620:fe::9/128
2620:fe::fe/128
::1/128
fe80::6a05:caff:fe43:d869/128
fe80::d63d:7eff:feb2:56c4/128

Change remaining Host(s) alias from Host(s) to Network(s), View List shows:
9.9.9.9/32
10.wan.subnet.1/32
10.wan.subnet.42/32
10.lan.subnet.0/24
10.lan.subnet.2/32
50.x.x.105/32
64.x.x.148/29
74.x.x.0/25
74.x.x.41/32
127.0.0.1/32
149.112.112.112/32
173.isp.subnet.46/32
2001:x:x:233::2/128
2001:x:y:233::/64
2620:fe::9/128
2620:fe::fe/128
::1/128
fe80::6a05:caff:fe43:d869/128
fe80::d63d:7eff:feb2:56c4/128

Note this is still not the same as the first list above since it is not including DNS servers, gateways, etc. by default (2620:fe::9 and 2620:fe::9/128). I understand this isn't necessary but my point is it is omitting those by default unless one adds them to the pass list manually.

Forum thread: [[https://forum.netgate.com/topic/167297/suricata-pass-list-missing-some-ips/]]

Related issues

Related to Bug #12322: Suricata creates invalid HOME_NET entriesResolvedViktor Gurov

Actions
Actions
Copy link

Also available in: Atom PDF