Project

General

Profile

Actions

Bug #12899

closed

Suricata doesn't honor Pass List

Added by Danilo Zrenjanin almost 3 years ago. Updated over 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Suricata
Target version:
-
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Affected Version:
2.6.0
Affected Plus Version:
22.01
Affected Architecture:

Description

It sometimes blocks the hosts defined in the selected Pass List. No matter whether you used IP subnet or Alias under Services/Suricata/Pass List, the addresses from the list get blocked.

More details at the forum post:
https://forum.netgate.com/topic/159610/suricata-pass-list-ignored/3

Actions #1

Updated by tasty ratz over 1 year ago

I've also experienced this for quite awhile. I created an alias for a vendor and added all IP addresses and ranges known for delivering their services. I then added that to my pass list.

I am constantly unblocking those IP's

I would really like to see this fixed.

Actions #2

Updated by Bill Meeks over 1 year ago

This has proven to be a very hard bug to find and fix. The problem is random. I have thus far been unable to reproduce it at will. And in fact, until just this afternoon, I had never had it happen on any of my test virtual machines. But this afternoon it did happen exactly once while testing the new Suricata 7.0.0 package. I have the network 192.168.233.0/24 in the Pass List, but Suricata implemented a block on IP address 192.168.233.1. That address is obviously within the netblock on the Pass List.

But thus far, every time I've tried to duplicate the bug with a debug version of the Suricata binary, I've been unsuccessful. I am going to investigate a completely different method of testing alerting IP addresses against the saved Pass List. The current method depends on the built-in Radix Tree code in the Suricata binary. There appears to be a random "failure to match" in that code. Or else I am using it incorrectly. Hard to say as there is no "how-to" manual provided.

Actions #3

Updated by Bill Meeks over 1 year ago

Another pass at resolving this long standing, but random, issue is in the code of Pull Request 1284 (https://github.com/pfsense/FreeBSD-ports/pull/1284) merged on August 10, 2023.

This issue can be marked resolved.

Actions #4

Updated by Jim Pingle over 1 year ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100
Actions

Also available in: Atom PDF