juef
October 9, 2023, 6:53pm
1
Hi,
drop bittorrent-dht any any -> any any (msg: "Block torrent traffic"; priority:1; sid:1000000; rev:1;)
in logs it’s marked as "action":"blocked", however traffic is not blocked, BitTorrent-DHT still works.
Web-viewer: evebox
UPD alert by drop for rules that detect such traffic, i.e.:
sed -e '/torrent/Is/^alert/drop/g' \
-e '/dht/Is/^alert/drop/g' \
/var/lib/suricata/rules/suricata.rules \
> /var/lib/suricata/rules/custom.rules
But still no luck, torrents are not blocking.
How are you running Suricata and how does the config look like?
juef
October 26, 2023, 9:00pm
3
nftables snippet:
table inet filter {
chain forward {
type filter hook forward priority 0
queue flags bypass,fanout to 0-1
policy accept
}
}
In /lib/systemd/system/suricata.service I’ve replaced ExecStart by:
ExecStart=/usr/bin/suricata -D -c /etc/suricata/suricata.yaml --pidfile /run/suricata.pid -q 0 -q 1
Is it enough to run it in IPS mode?
However, for sure, blocking other requests via dns.query, http.host, tls.sni, and quic.sni (by the way, what is the equivalent for http2 to block some host?) is working.
juef
October 26, 2023, 9:10pm
4
Config file is almost default: suricata.yaml (82.1 KB)bittorrent-dht enabled
Can you provide the stats.log as well as the related eve.json output for those flows that should have been blocked, and also the alert event?
juef
November 13, 2023, 10:11pm
6
Sorry for the late reply.
(eve.bittorrent-dht.json filtered by grep torrent < eve.json | perl -pe 's|"src_ip":".*?"|"src_ip":"<redacted>"|g' | perl -pe 's|"dest_ip":".*?"|"dest_ip":"<redacted>"|g' | perl -pe 's|ipv6=.*?"|ipv6=<redacted>"|g')
With only
sed -e '/torrent/Is/^alert/drop/g' \
-e '/dht/Is/^alert/drop/g' \
/var/lib/suricata/rules/suricata.rules \
> /var/lib/suricata/rules/custom.rules
eve.bittorrent-dht.json (100.1 KB)stats.log (83.3 KB)
Torrent that was already added was downloading.
With additional rule:
drop bittorrent-dht any any -> any any (msg: "Block torrent traffic"; priority:1; sid:1000186; rev:1;)
stats.log (53.8 KB)eve.bittorrent-dht.json (96.7 KB)
New torrent wasn’t downloading (as http tracker gives no response).
Tested with debian torrent and transmission client .
However if torrent was added via magnet URL, then run it without suricata for some time, and then again with suricata, torrent still downloading.
juef:
However if torrent was added via magnet URL, then run it without suricata for some time, and then again with suricata, torrent still downloading.
So for new connections the block works but for established connections it does not work?
yes exactly, any suggestions on how can i patch this problem
