Project

General

Profile

Actions

Bug #1179

closed

Suricata block all traffic

Added by Anonymous almost 10 years ago. Updated over 9 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hello,
I need help with this problem.
I used suricatu from version 1.4.x to version 2.0. (IPS)
Suricata works without problems (no errors in logs)
But after some time blocked all traffic. I do not know what causes it. From the logs, I found that it happens this activity:

04/10/2014-14:15:08.942997 [wDrop] [**] [1:2200029:1] SURICATA ICMPv6 unknown type [**] [Classification: (null)] [Priority: 3] {IPv6-ICMP} 0000:0000:0000:0000:0000:0000:0000:0000:135 -> ff02:0000:0000:0000:0000:0001:ff6c:efde:0
04/10/2014-14:15:09.308078 [wDrop] [**] [1:2200029:1] SURICATA ICMPv6 unknown type [**] [Classification: (null)] [Priority: 3] {IPv6-ICMP} fe80:0000:0000:0000:1cab:7232:a96c:efde:143 -> ff02:0000:0000:0000:0000:0000:0000:0016:0
04/10/2014-14:15:12.317126 [wDrop] [**] [1:2200029:1] SURICATA ICMPv6 unknown type [**] [Classification: (null)] [Priority: 3] {IPv6-ICMP} fe80:0000:0000:0000:1cab:7232:a96c:efde:143 -> ff02:0000:0000:0000:0000:0000:0000:0016:0
04/10/2014-14:15:12.779459 [wDrop] [**] [1:2200029:1] SURICATA ICMPv6 unknown type [**] [Classification: (null)] [Priority: 3] {IPv6-ICMP} fe80:0000:0000:0000:1cab:7232:a96c:efde:133 -> ff02:0000:0000:0000:0000:0000:0000:0002:0
04/10/2014-14:15:15.445257 [wDrop] [**] [1:2200029:1] SURICATA ICMPv6 unknown type [**] [Classification: (null)] [Priority: 3] {IPv6-ICMP} fe80:0000:0000:0000:6aa3:c4ff:fe7e:4e6c:133 -> ff02:0000:0000:0000:0000:0000:0000:0002:0
04/10/2014-14:15:17.341543 [wDrop] [**] [1:2200029:1] SURICATA ICMPv6 unknown type [**] [Classification: (null)] [Priority: 3] {IPv6-ICMP} fe80:0000:0000:0000:1cab:7232:a96c:efde:133 -> ff02:0000:0000:0000:0000:0000:0000:0002:0

Only one thing works - > restart Suricata. After restart works good.

Eventually I tried to find some solution (iptables rules, ip6tables default drop policy), but it happens again.
Suricata run on CentOS 6.5

suricata build info:

This is Suricata version 2.0 RELEASE
Features: NFQ PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK HAVE_NSS HAVE_LIBJANSSON PROFILING
SIMD support: SSE_4_2 SSE_4_1 SSE_3
Atomic intrisics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 4.4.7 20120313 (Red Hat 4.4.7-4), C version 199901
L1 cache line size (CLS)=64
compiled with LibHTP v0.5.10, linked against LibHTP v0.5.10
Suricata Configuration:
AF_PACKET support: yes
PF_RING support: no
NFQueue support: yes
IPFW support: no
DAG enabled: no
Napatech enabled: no
Unix socket enabled: yes
Detection enabled: yes

libnss support:                          yes
libnspr support: yes
libjansson support: yes
Prelude support: no
PCRE jit: no
libluajit: no
libgeoip: yes
Non-bundled htp: no
Old barnyard2 support: no
CUDA enabled: no
Suricatasc install:                      yes
Unit tests enabled:                      no
Debug output enabled: no
Debug validation enabled: no
Profiling enabled: yes
Profiling locks enabled: no
Coccinelle / spatch: no

Generic build parameters:
Installation prefix (--prefix): /usr/local
Configuration directory (--sysconfdir): /usr/local/etc/suricata/
Log directory (--localstatedir) : /usr/local/var/log/suricata/

Host:                                    x86_64-unknown-linux-gnu
GCC binary: gcc
GCC Protect enabled: no
GCC march native enabled: yes
GCC Profile enabled: no

Thank you.

Actions #1

Updated by Andreas Herz over 9 years ago

With [wDrop] this looks like monitoring mode and shouldn't drop (just log), so can you describe your setup a little bit and how you start suricata?

Actions #2

Updated by Anonymous over 9 years ago

Andreas Herz wrote:

With [wDrop] this looks like monitoring mode and shouldn't drop (just log), so can you describe your setup a little bit and how you start suricata?

I think that it corrected any updates of Suricata 2.0.x . For a long time he did not. Perhaps I close my ticket.

Actions #3

Updated by Peter Manev over 9 years ago

So with the current release you do not have that problem anymore , correct?

There were a couple of IPS related bugs fixed in 2.x -
https://redmine.openinfosecfoundation.org/issues/1284
https://redmine.openinfosecfoundation.org/issues/1176

You could close this bug report - if that is the case.
Thanks for following up!

Actions #4

Updated by Anonymous over 9 years ago

Peter Manev wrote:

So with the current release you do not have that problem anymore , correct?

There were a couple of IPS related bugs fixed in 2.x -
https://redmine.openinfosecfoundation.org/issues/1284
https://redmine.openinfosecfoundation.org/issues/1176

You could close this bug report - if that is the case.
Thanks for following up!

Yes, problem looks like fixed. You can close this bug report. I dont know how i can close the report. Or i havent got permission to close.
Thanks.

Actions #5

Updated by Peter Manev over 9 years ago

  • Status changed from New to Closed
Actions

Also available in: Atom PDF