Bug #12899
closed
Suricata doesn't honor Pass List
100%
Description
It sometimes blocks the hosts defined in the selected Pass List. No matter whether you used IP subnet or Alias under Services/Suricata/Pass List, the addresses from the list get blocked.
More details at the forum post:
https://forum.netgate.com/topic/159610/suricata-pass-list-ignored/3
Updated by tasty ratz 9 months ago
I've also experienced this for quite awhile. I created an alias for a vendor and added all IP addresses and ranges known for delivering their services. I then added that to my pass list.
I am constantly unblocking those IP's
I would really like to see this fixed.
Updated by Bill Meeks 9 months ago
This has proven to be a very hard bug to find and fix. The problem is random. I have thus far been unable to reproduce it at will. And in fact, until just this afternoon, I had never had it happen on any of my test virtual machines. But this afternoon it did happen exactly once while testing the new Suricata 7.0.0 package. I have the network 192.168.233.0/24 in the Pass List, but Suricata implemented a block on IP address 192.168.233.1. That address is obviously within the netblock on the Pass List.
But thus far, every time I've tried to duplicate the bug with a debug version of the Suricata binary, I've been unsuccessful. I am going to investigate a completely different method of testing alerting IP addresses against the saved Pass List. The current method depends on the built-in Radix Tree code in the Suricata binary. There appears to be a random "failure to match" in that code. Or else I am using it incorrectly. Hard to say as there is no "how-to" manual provided.
Updated by Bill Meeks 9 months ago
Another pass at resolving this long standing, but random, issue is in the code of Pull Request 1284 (https://github.com/pfsense/FreeBSD-ports/pull/1284) merged on August 10, 2023.
This issue can be marked resolved.
Updated by Jim Pingle 9 months ago
- Status changed from New to Resolved
- % Done changed from 0 to 100