Core-161: Location Blocking stops Green access

Yesterday I upgraded to Core-161 (x86_64) and today I attempted to perform an update on my Linux OS on the green side of the firewall and all access to the update servers were blocked. The logs show that IPS recognized the request for what it was (an APT update), but the firewall logs by country show all as being blocked from country “green0.” I have GeoIP blocking enabled with only a few locations open, but “green” is not shown as a country and the Green IP space uses the non-routable public class B IP addresses (172.16.0.0). The only solution at this point seems to be to turn off IP blocking or putting is a specific iptable rule to allow green as I am unable to determine how to unblock country “Green”.

Thanks,
-Craig

Hi,

the location block - it is no longer called “GeoIP block”, since we do not use MaxMind’s GeoIP database anymore - only applies to incoming connections, not to outgoing (i. e. initiated by a client within an internal network) ones.

Therefore, it does not block the connection in question. Also, it does not log dropped packets, since it’s sole purpose is to reduce noise in the firewall. Hence, another component is interferring in your case.

The logs show that IPS recognized the request for what it was (an APT update)

Unless you have configured the IPS in a way to monitor traffic only, a log message implicates the offending packet has been dropped.

Please disable the rule causing this log entry (it should be a “shellcode”-related one), and the IPS should no longer block the updates.

Also, please post the actual logs next time, not just a description of them. To me, this would make analysing more easy. :slight_smile:

Thanks, and best regards,
Peter Müller

P.S.: Also, I’d be surprised if this was related to Core Update 161.

1 Like

Update, this does not appear to be an IPS issue as turning off the Location-based blocking completely eliminates the problem. Below I include both the Location log and the a portion of the IPS log (I can include the full IPS log if that would help:

Now a portion of both logs as I hit the character limit:

Firewall log (Country)

Total number of firewall hits for December 1: 223

Older Newer

Time Chain Iface Proto Source Src Port Destination Dst Port
08:52:45 DROP_NEWNOTSYN green0 TCP 172.16.1.69 39720 [107.22.164.118](https://172.16.1.10:444/cgi-
08:53:06 DROP_NEWNOTSYN green0 TCP 172.16.1.59 63582 66.111.4.55 443
08:53:07 DROP_NEWNOTSYN green0 TCP 172.16.1.69 58352 13.224.2.168 443
08:53:07 DROP_NEWNOTSYN green0 TCP 172.16.1.69 43120 142.250.217.67 443
08:53:07 DROP_NEWNOTSYN green0 TCP 172.16.1.69 47284 99.86.38.70 443
08:53:08 DROP_NEWNOTSYN green0 TCP 172.16.1.59 63582 66.111.4.55 443
08:53:10 DROP_NEWNOTSYN green0 TCP 172.16.1.69 44322 172.16.1.10 444
08:53:16 DROP_NEWNOTSYN green0 TCP 172.16.1.59 63581 142.250.99.188 5228
08:53:18 DROP_NEWNOTSYN green0 TCP 172.16.1.59 63582 66.111.4.55 443
08:53:21 DROP_NEWNOTSYN green0 TCP 172.16.1.69 39718 107.22.164.118 443
08:53:21 DROP_NEWNOTSYN green0 TCP 172.16.1.69 38962 44.196.206.82 443
08:53:21 DROP_NEWNOTSYN green0 TCP 172.16.1.69 39720 107.22.164.118 443
08:53:23 DROP_NEWNOTSYN green0 TCP 172.16.1.69 53686 54.208.76.219 443
08:53:35 DROP_NEWNOTSYN green0 TCP 172.16.1.69 47284 99.86.38.70 443
08:53:35 DROP_NEWNOTSYN green0 TCP 172.16.1.69 43120 142.250.217.67 443
08:53:35 DROP_NEWNOTSYN green0 TCP 172.16.1.69 58352 13.224.2.168 443
08:53:41 DROP_NEWNOTSYN green0 TCP 172.16.1.69 44322 172.16.1.10 444
08:53:57 DROP_NEWNOTSYN green0 TCP 172.16.1.69 39720 107.22.164.118 443
08:53:57 DROP_NEWNOTSYN green0 TCP 172.16.1.69 38962 44.196.206.82 443
08:53:57 DROP_NEWNOTSYN green0 TCP 172.16.1.69 39718 107.22.164.118 443
08:53:59 DROP_NEWNOTSYN green0 TCP 172.16.1.69 53686 54.208.76.219 443
08:59:13 DROP_NEWNOTSYN green0 TCP 172.16.1.59 63591 142.250.217.106 443
08:59:13 DROP_NEWNOTSYN green0 TCP 172.16.1.59 63591 142.250.217.106 443
08:59:13 DROP_NEWNOTSYN green0 TCP 172.16.1.59 63581 142.250.99.188 5228
08:59:27 DROP_NEWNOTSYN green0 TCP 172.16.1.59 63601 142.251.33.78 443
08:59:27 DROP_NEWNOTSYN green0 TCP 172.16.1.59 63601 142.251.33.78 443
08:59:27 DROP_NEWNOTSYN green0 TCP 172.16.1.59 63601 142.251.33.78 443
08:59:27 DROP_NEWNOTSYN green0 TCP 172.16.1.59 63601 142.251.33.78 443
08:59:28 DROP_NEWNOTSYN green0 TCP 172.16.1.59 63601 142.251.33.78 443
08:59:28 DROP_NEWNOTSYN green0 TCP 172.16.1.59 63601 142.251.33.78 443
08:59:28 DROP_NEWNOTSYN green0 TCP 172.16.1.59 63601 142.251.33.78 443
08:59:28 DROP_NEWNOTSYN green0 TCP 172.16.1.59 63581 142.250.99.188 5228
08:59:29 DROP_NEWNOTSYN green0 TCP 172.16.1.59 63601 142.251.33.78 443
08:59:29 DROP_NEWNOTSYN green0 TCP 172.16.1.59 63601 142.251.33.78 443
08:59:33 DROP_NEWNOTSYN green0 TCP 172.16.1.59 63601 142.251.33.78 443
08:59:35 DROP_NEWNOTSYN green0 TCP 172.16.1.59 63601 142.251.33.78 443
09:00:31 DROP_NEWNOTSYN green0 TCP 172.16.1.59 63584 52.202.62.217 443
09:06:49 DROP_NEWNOTSYN green0 TCP 172.16.1.59 63660 3.235.73.96 443
10:12:00 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64273 3.235.72.249 443
10:12:00 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64284 3.235.96.62 443
10:12:23 DROP_NEWNOTSYN green0 TCP 172.16.1.59 63632 142.250.99.188 5228
10:13:39 DROP_NEWNOTSYN green0 TCP 172.16.1.59 63632 142.250.99.188 5228
10:14:54 DROP_NEWNOTSYN green0 TCP 172.16.1.59 63632 142.250.99.188 5228
10:15:37 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64352 3.235.96.63 443
10:15:37 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64387 3.235.73.96 443
10:15:37 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64351 18.205.93.142 443
10:15:37 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64353 18.205.93.142 443
10:15:37 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64354 18.205.93.142 443
10:16:09 DROP_NEWNOTSYN green0 TCP 172.16.1.59 63632 142.250.99.188 5228
10:17:25 DROP_NEWNOTSYN green0 TCP 172.16.1.59 63632 142.250.99.188 5228
10:18:41 DROP_NEWNOTSYN green0 TCP 172.16.1.59 63632 142.250.99.188 5228
10:19:56 DROP_NEWNOTSYN green0 TCP 172.16.1.59 63632 142.250.99.188 5228
10:21:11 DROP_NEWNOTSYN green0 TCP 172.16.1.59 63632 142.250.99.188 5228
10:24:07 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64415 52.202.62.224 443
11:15:52 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64543 3.235.96.62 443
11:15:52 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64550 3.235.83.109 443
12:08:28 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64616 74.125.142.188 5228
12:08:29 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64508 18.205.93.224 443
12:08:29 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64610 3.235.83.123 443
12:08:29 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64616 74.125.142.188 5228
12:08:29 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64508 18.205.93.224 443
12:08:29 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64610 3.235.83.123 443
12:08:29 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64508 18.205.93.224 443
12:08:29 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64616 74.125.142.188 5228
12:08:29 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64610 3.235.83.123 443
12:08:30 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64508 18.205.93.224 443
12:08:30 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64616 74.125.142.188 5228
12:08:30 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64508 18.205.93.224 443
12:08:30 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64610 3.235.83.123 443
12:08:31 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64616 74.125.142.188 5228
12:08:31 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64508 18.205.93.224 443
12:08:33 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64616 74.125.142.188 5228
12:08:44 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64613 20.189.173.5 443
12:36:30 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64653 3.235.73.120 443
12:36:30 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64626 18.205.93.248 443
12:36:30 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64627 18.205.93.248 443
12:36:30 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64628 18.205.93.248 443
12:44:22 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64819 3.235.83.121 443
13:35:23 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64842 173.194.202.188 5228
13:35:26 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64843 142.251.33.99 443
13:35:26 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64843 142.251.33.99 443
13:35:26 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64843 142.251.33.99 443
13:35:28 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64842 173.194.202.188 5228
13:35:28 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64843 142.251.33.99 443
13:35:29 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64843 142.251.33.99 443
13:35:30 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64842 173.194.202.188 5228
13:35:30 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64845 66.111.4.56 443
13:35:30 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64845 66.111.4.56 443
13:35:30 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64845 66.111.4.56 443
13:35:30 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64845 66.111.4.56 443
13:35:30 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64843 142.251.33.99 443
13:35:30 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64845 66.111.4.56 443
13:35:32 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64843 142.251.33.99 443
13:35:32 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64842 173.194.202.188 5228
13:35:32 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64845 66.111.4.56 443
13:35:34 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64843 142.251.33.99 443
13:35:34 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64845 66.111.4.56 443
13:35:34 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64842 173.194.202.188 5228
13:35:36 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64843 142.251.33.99 443
13:35:36 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64845 66.111.4.56 443
13:35:36 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64843 142.251.33.99 443
13:35:36 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64842 173.194.202.188 5228
13:35:38 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64842 173.194.202.188 5228
13:35:39 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64845 66.111.4.56 443
13:35:40 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64845 66.111.4.56 443
13:35:46 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64844 142.250.217.110 443
13:35:46 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64844 142.250.217.110 443
13:35:46 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64844 142.250.217.110 443
13:35:46 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64844 142.250.217.110 443
13:35:50 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64845 66.111.4.56 443
13:35:50 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64844 142.250.217.110 443
13:35:50 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64844 142.250.217.110 443
13:35:50 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64844 142.250.217.110 443
13:35:52 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64844 142.250.217.110 443
13:35:56 DROP_NEWNOTSYN green0 TCP 172.16.1.59 64844 142.250.217.110 443

Total number of firewall hits for December 1: 223

IPS Log:

Date: 12/01 13:20:56 Name: ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management


Priority: 3 Type: Not Suspicious Traffic
IP info: 192.168.4.101:57022 → 142.250.217.110:80
References: none found SID: 2013504
Date: 12/01 13:20:56 Name: ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management


Priority: 3 Type: Not Suspicious Traffic
IP info: 192.168.4.101:38338 → 91.189.91.39:80
References: none found SID: 2013504
Date: 12/01 13:20:56 Name: ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management


Priority: 3 Type: Not Suspicious Traffic
IP info: 192.168.4.101:56138 → 91.189.88.151:80
References: none found SID: 2013504
Date: 12/01 13:20:56 Name: ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management


Priority: 3 Type: Not Suspicious Traffic
IP info: 192.168.4.101:56326 → 91.189.95.85:80
References: none found SID: 2013504
Date: 12/01 13:20:56 Name: ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management


Priority: 3 Type: Not Suspicious Traffic
IP info: 192.168.4.101:42274 → 91.189.88.152:80
References: none found SID: 2013504
Date: 12/01 13:21:26 Name: ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management


Priority: 3 Type: Not Suspicious Traffic
IP info: 192.168.4.101:38350 → 91.189.91.39:80
References: none found SID: 2013504
Date: 12/01 13:21:56 Name: ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management


Priority: 3 Type: Not Suspicious Traffic
IP info: 192.168.4.101:51658 → 91.189.91.38:80
References: none found SID: 2013504

The logged DROP_NEWNOTSYN is not really usefull because it state that a client still send packets to a already closed or non existant tcp connection.

Also keep in mind that when you reload the firewall by disable Location the IPS need time to restart. On slow machines i have seen 30min or more until it is really active again.

Be carefull with such ET POLICY rules. They are to block activities that are usually normal.
But some company’s like to block such things like apt.

2 Likes

Okay, I used the emerging threats community rule set as the default which includes these rules. I will do some more fine tuning, but Is there a reference where I can learn more about the rule sets so I can better understand what I am blocking/allowing?

Thank you for your assistance,

This should help:

1 Like

Jon, Thanks. Based on the earlier post I went looking and found the same rule (and disabled it). So I think I am functional again, but I would like to better understand the rules and what I am blocking and/or allowing as there are many (too many?) options to choose from.

1 Like

I struggle with IPS also. Basically I turn on something that’s recommended and give it a try for a week. During that week I monitor the log. And then turn off things that interfere (like APT-type things).

I have not stumbled across anything that explains the Rulesets.

Hi,

this procedure is called “baselining”: Trying to find out which kind of findings an IDS/IPS produces, and which of them are false positives. Especially in production networks or enterprises, rules are always enabled step-by-step, watching the logs closely afterwards. Even large companies with a dedicated IDS/IPS team needs weeks if not months to conduct a proper baselining, especially if network documentation is poor.

Some of the rulesets are easy: You never want to connect to known C&C servers or hostile networks, no matter what. These can be enabled first, and usually do not cause any headache in terms of false positives. (The real headache comes with the true positives… :slight_smile: )

Afterwards, rules are commonly enabled by priority: For example, if an IDS/IPS shields client networks, it usually makes more sense to take a look at rulesets like emerging-web_client.rules first. Should you are dealing with server networks, protocol-specific rulesets such as emerging-web_specific_apps.rules might be more important.

Then, there are some rulesets that you want to have enabled in almost any circumstances, such as emerging-malware.rules, emerging-exploit.rules or emerging-attack_response.rules - unless some of these cause too many false positives for certain applications or devices.

So, in the end, binging an IPS into production is an individual procedure, and general advice is usually sketchy. Being patient helps, and enabling things one by one - if you can overlook your network, you usually have some kind of feeling of what’s normal inside it and what’s not.

I have not stumbled across anything that explains the Rulesets.

For Emerging Threats, this and this page provide some, but not a complete explanation.

Hope this answer was helpful.

Thanks, and best regards,
Peter Müller

2 Likes