Please include the following information with your help request:
Suricata version
Operating system and/or Linux distribution
How you installed Suricata (from source, packages, something else)
Suricata version: 7.0.8_5
OS: pfSense version 2.8.1 using FreeBD 15.0
Installed via pfSense package manager
I am having some very annoying issues regarding Suricata blocking IPs even when they are explicitly allowed through the filter.
I am fairly new to pfSense and Suricata and I want to make sure I have this setup right. There is one particular external IP that keeps getting blocked even though I have it in the passlist which is assigned to the interface, I have the IP in a firewall alias that is also in the passlist.
Another issue that is somewhat related is I get lots of blocks and alerts from SURICATA STREAM rules and they were all false positives so I dissabled the rules, but there are still IPs getting blocked by those rules.
I have made sure there are no ghost Suricata proccesses running, I have restarted Suricata on the interface after making changes, and I have cleard some tables that may have been holding old config or filter data. But the IP is still getting blocked and the SURICATA STREAM rules are still blocking as well.
Let me know if there is anything else I can check or if you need any additional info.
Suricata on pfSense uses a customized binary. You need to ask any Suricata questions related to pfSense here: IDS/IPS | Netgate Forum .
The Pass List and the Legacy Blocking Mode module used in pfSense are both customized additions to the Suricata binary made by the package maintainer for pfSense. The Suricata development team have zero involvement with that custom binary code.
How do I know ? Because I am the former package maintainer for Suricata on pfSense. But I have now retired from that role.
I will offer a couple of quick things to check, but out of respect for the Suricata forum let’s continue any further discussions over on the Netgate forum I linked in my earlier post.
There are some existing issues with FQDN aliases on pfSense that can bubble over to the Suricata blocking module used there. Short version is that from time to time the IP address or addresses associated with an alias can get cleared out.
If you are new to the PHP GUI used in pfSense for Suricata, disabling a rule does NOT remove any existing blocks that resulted from that rule. The Legacy Blocking Mode uses the pf firewall engine for its IP blocks and adds the IP address to be blocked to a hidden pf firewall table. IP addresses must be manually cleared from that table to remove blocks. The blocks can also be cleaned up automatically by a cron task if that option is enabled or they are removed by rebooting the firewall as that reloads the pf firewall engine thereby clearing entries from the existing pf tables.
? Because I am the former package maintainer for Suricata on pfSense. But I have now retired from that role.