I made a rule to block ip from BG using geoip. I want to use anydesk, but it’s using BG ip’s and it doesn’t let me connect to anydesk. I tried to make a pass rule. Tried with content: “anydesk”, didn’t work, still blocked. Tried with the ip’s fast.log logs. Still not passing. Am I doing something wrong?
Can I block a country but still let anydesk connect to it so it can let me use it?
You should be able to do this as pass rules have priority over drop rules as per the docs: 10.1. Suricata.yaml — Suricata 6.0.0 documentation
Can you please post both rules and the block event?
Moreover, if you want to block anydesk, it is better to target the dns+tls protocols rather than the ips as those are normally dynamic and would change over time.
I don’t want to block anydesk. I want to block ips but anydesk still working.
Rules are the following :
pass ip any any → any any (content:“anydesk”; sid:3;rev:1;)
drop ip any any → any any (msg: “Drop GeoIP RU”; geoip:RU; sid:1; rev:1;)
drop ip any any → any any (msg: “Drop GeoIP BG”; geoip:BG; sid:2; rev:1;)
When I access anydesk, it doesn’t work. If I comment drop rules, it works. But I need the geoip rules on and anydesk on too. How can I make that anydesk passes the GeoIp rules?
log: 07/11/2022-15:30:31.836259 [Drop] [] [1:1:1] Drop GeoIP BG [] [Classification: (null)] [Priority: 3] {TCP} -my ip= → 37.19.203.82:80 (and more ips)
If I close anydesk, the drop stops, obviously. So they’re dropping anydesk even with the pass rule;
Sorry for misunderstanding your post.
The provided rules will block anydesk since the rules will probably block the TCP 3-way handshake before even any content will be exchanged (that your pass rule rely on to be activated).
So maybe if you block BG traffic for already established connection this should allow TCP handshake to complete for anydesk and the pass rule will activate on the provided content “anydesk”, by editing the rules to be like:
pass ip any any → any any (content:“anydesk”; sid:3;rev:1;)
drop ip any any → any any (msg: “Drop GeoIP RU”; flow: established; geoip:RU; sid:1; rev:1;)
drop ip any any → any any (msg: “Drop GeoIP BG”; flow: established; geoip:BG; sid:2; rev:1;)
However, I would rather inspect how anydesk bootstrap its communication to verify that my content keyword will match the flow immediately after the 3-way TCP handshake is completed.