Project

General

Profile

Actions

Bug #5633

closed

Pass rules on 6.0.8 are generating alert events when passing tunneled traffic

Added by Don Williams over 1 year ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

I tested upgrading to suricata 6.0.8 from 6.0.6 and was suddenly being spammed with alerts on custom pass rules that should not be generating alerts at all. These are pass rules old/new that have been in use since Suricata 3.x and I have never witnessed suricata ever alerting from a pass rule signature. One of the strangest things I have ever seen.

I tried many times to reproduce this in lab with pcap samples of traffic from production that was generating the alerts, but had no success.

I finally realized that all the pass rule alerts were within a GRE or IPv6-Frag tunnel as reported by the tunnel.proto field of the json alerts.

Once I collected a production pcap sample on the tunnel IPs instead of direct src/dest I was immediately able to reproduce the issue in lab. Apparently we have some of the same types of traffic inside a tunnel as well as not.

I personally use a custom compiled Suricata 6.0.8 on CentOS 7, but I have a coworker that uses the CentOS 7 rpm package as well. His sensors are on completely different networks with completely different pass rules and he saw the exact same flood of pass rule alerts being generated when he tested. Every one of his pass rule alerts were also for traffic inside a tunnel. Neither of us changed any config at all, and only changed the installed Suricata version.

I redacted quite a lot, but this is one the sample alerts that was generated by suricata 6.0.8 for a pass rule for traffic in a tunnel. The actual IPs represented inside the tunnel should have matched with pass rule IP variables and been ignored. The actual packet was a generic syslog message.

{
  "alert": {
    "action": "allowed",
    "gid": 1,
    "signature_id": 60000139,
    "rev": 2,
    "signature": "CUSTOM---",
    "category": "Misc activity",
    "severity": 3,
    "rule": "pass udp $HOME_NET any -> $INTERNAL 514 (msg:\"CUSTOM---\"; classtype:misc-activity; sid:60000139; rev:2;)" 
  },
  "app_proto": "failed",
  "community_id": "1:---",
  "dest_ip": "172.0.0.0",
  "dest_port": 514,
  "ether": {},
  "event_type": "alert",
  "flow": {
    "pkts_toserver": 1,
    "pkts_toclient": 0,
    "bytes_toserver": 178,
    "bytes_toclient": 0,
    "start": "2022-11-02T22:20:14.454443+0000" 
  },
  "flow_id": 123---,
  "in_iface": "mon4",
  "packet": "---",
  "packet_info": {
    "linktype": 12
  },
  "payload": "---",
  "payload_printable": "---",
  "proto": "UDP",
  "src_ip": "172.0.0.0",
  "src_port": 514,
  "stream": 0,
  "timestamp": "2022-11-02T22:20:14.454443+0000",
  "tunnel": {
    "src_ip": "156.0.0.0",
    "src_port": 0,
    "dest_ip": "156.0.0.0",
    "dest_port": 0,
    "proto": "GRE",
    "depth": 1
  }
}

This is Suricata version 6.0.8 RELEASE
Features: NFQ PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LIBJANSSON PROFILING TLS TLS_GNU MAGIC RUST 
SIMD support: SSE_4_2 SSE_4_1 SSE_3 
Atomic intrinsics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 4.8.5 20150623 (Red Hat 4.8.5-44), C version 199901
compiled with _FORTIFY_SOURCE=0
L1 cache line size (CLS)=64
thread local storage method: __thread
compiled with LibHTP v0.5.41, linked against LibHTP v0.5.41

Suricata Configuration:
  AF_PACKET support:                       yes
  eBPF support:                            no
  XDP support:                             no
  PF_RING support:                         no
  NFQueue support:                         yes
  NFLOG support:                           no
  IPFW support:                            no
  Netmap support:                          no 
  DAG enabled:                             no
  Napatech enabled:                        no
  WinDivert enabled:                       no

  Unix socket enabled:                     yes
  Detection enabled:                       yes

  Libmagic support:                        yes
  libnss support:                          yes
  libnspr support:                         yes
  libjansson support:                      yes
  hiredis support:                         no
  hiredis async with libevent:             no
  Prelude support:                         no
  PCRE jit:                                yes
  LUA support:                             yes
  libluajit:                               no
  GeoIP2 support:                          yes
  Non-bundled htp:                         no
  Hyperscan support:                       yes
  Libnet support:                          yes
  liblz4 support:                          yes
  HTTP2 decompression:                     no

  Rust support:                            yes
  Rust strict mode:                        no
  Rust compiler path:                      /usr/local/bin/rustc
  Rust compiler version:                   rustc 1.44.1 (c7087fe00 2020-06-17)
  Cargo path:                              /usr/local/bin/cargo
  Cargo version:                           cargo 1.44.1 (88ba85757 2020-06-11)
  Cargo vendor:                            yes

  Python support:                          yes
  Python path:                             /usr/bin/python2.7
  Install suricatactl:                     yes
  Install suricatasc:                      yes
  Install suricata-update:                 yes

  Profiling enabled:                       yes
  Profiling locks enabled:                 no

  Plugin support (experimental):           yes

Development settings:
  Coccinelle / spatch:                     no
  Unit tests enabled:                      no
  Debug output enabled:                    no
  Debug validation enabled:                no

Generic build parameters:
  Installation prefix:                     /usr/local
  Configuration directory:                 /etc/suricata/
  Log directory:                           /var/log/suricata/

  --prefix                                 /usr/local
  --sysconfdir                             /etc
  --localstatedir                          /var
  --datarootdir                            /usr/local/share

  Host:                                    x86_64-pc-linux-gnu
  Compiler:                                gcc (exec name) / g++ (real)
  GCC Protect enabled:                     no
  GCC march native enabled:                yes
  GCC Profile enabled:                     no
  Position Independent Executable enabled: no
  CFLAGS                                   -g -O2 -std=gnu99 -march=native -I${srcdir}/../rust/gen -I${srcdir}/../rust/dist
  PCAP_CFLAGS                               -I/usr/local/include
  SECCFLAGS        

Files

gre-sample.pcap (7.22 KB) gre-sample.pcap Don Williams, 11/22/2022 03:34 PM
pass.rules (110 Bytes) pass.rules Don Williams, 11/22/2022 03:35 PM
fast.log (485 Bytes) fast.log Don Williams, 11/22/2022 03:35 PM
eve.json (3.13 KB) eve.json Don Williams, 11/22/2022 03:36 PM

Subtasks 1 (0 open1 closed)

Bug #5697: Pass rules on 6.0.8 are generating alert events when passing tunneled traffic (6.0.x backport)RejectedActions

Related issues 1 (0 open1 closed)

Related to Suricata - Security #5571: ips: encapsulated packet logged as dropped, but not actually droppedClosedVictor JulienActions
Actions #1

Updated by Victor Julien over 1 year ago

  • Description updated (diff)
Actions #2

Updated by Victor Julien over 1 year ago

  • Related to Security #5571: ips: encapsulated packet logged as dropped, but not actually dropped added
Actions #3

Updated by Victor Julien over 1 year ago

Possibly related to #5571

Actions #4

Updated by Victor Julien over 1 year ago

  • Priority changed from Urgent to High
  • Target version changed from TBD to 7.0.0-rc1
  • Label Needs backport to 6.0 added

Are you able to provide a test case (pcap+rules+expected output) for our Suricata-Verify repo? https://github.com/OISF/suricata-verify

Actions #5

Updated by Shivani Bhardwaj over 1 year ago

  • Subtask #5697 added
Actions #6

Updated by Shivani Bhardwaj over 1 year ago

  • Label deleted (Needs backport to 6.0)
Actions #7

Updated by Victor Julien over 1 year ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Jeff Lucovsky
Actions #8

Updated by Jeff Lucovsky over 1 year ago

Having a PCAP would help, even if the pcap has a few packets. The pcap can be posted here or shared privately (if there's sensitive information within it)

Updated by Don Williams over 1 year ago

There is nothing special in my traffic. It is just basic GRE tunnel traffic of many different types of data.

I downloaded this gre sample from bro and wrote a very basic pass rule and was able to duplicate it.
https://github.com/bro/bro/raw/master/testing/btest/Traces/tunnels/gre-sample.pcap

With this I was able to get Suricata alerting on the pass rule rather than actually passing the traffic.

Actions #10

Updated by Victor Julien over 1 year ago

FYI this appears to be already fixed in master. Needs a SV test to confirm.

Actions #11

Updated by Victor Julien over 1 year ago

  • Status changed from Assigned to In Progress
  • Assignee changed from Jeff Lucovsky to Victor Julien
Actions #12

Updated by Victor Julien over 1 year ago

  • Target version changed from 7.0.0-rc1 to 6.0.9

Confirmed to work correctly in 7.0.0-beta1 and current git master.

Actions #14

Updated by Victor Julien over 1 year ago

  • Status changed from In Progress to Closed
Actions

Also available in: Atom PDF