Hello,
A few days after core update 168 on my Pi 4, I monitored the different logs to check if everything was alright, and I was surprised to see no entries in the IPS logs.
I disabled it and re-enabled it as stated here, yet after trying with only emerging-dns.rules enabled for the test, to go to a random *.to website, I could access even though the rule preventing to make DNS requests to .to domains was enabled.
Here is what is shown in the logs after a restart of the IPS :
( from new to old )
19:06:23 suricata: Signature(s) loaded, Detect thread(s) activated.
19:06:23 suricata: rule reload complete
19:06:23 suricata: cleaning up signature grouping structure... complete
19:06:22 suricata: 302 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 129 inspect application layer, 105 are decoder event only
19:06:22 suricata: Threshold config parsed: 0 rule(s) found
19:06:22 suricata: 15 rule files processed. 302 rules successfully loaded, 0 rules failed
19:06:22 suricata: Including configuration file /var/ipfire/suricata/suricata-used-rulesfiles.yaml.
19:06:22 suricata: Including configuration file /var/ipfire/suricata/suricata-http-ports.yaml.
19:06:22 suricata: Including configuration file /var/ipfire/suricata/suricata-dns-servers.yaml.
19:06:22 suricata: Including configuration file /var/ipfire/suricata/suricata-homenet.yaml.
19:06:22 suricata: rule reload starting
19:06:22 suricata: all 4 packet processing threads, 2 management threads initialized, engine starte d.
19:06:22 suricata: fail-open mode should be set on queue
19:06:22 suricata: NFQ running in 'workers' runmode, will not use mutex.
19:06:22 suricata: setting nfnl bufsize to 6144000
19:06:22 suricata: setting queue length to 4096
19:06:22 suricata: binding this thread 3 to queue '3'
19:06:22 suricata: fail-open mode should be set on queue
19:06:22 suricata: NFQ running in 'workers' runmode, will not use mutex.
19:06:22 suricata: setting nfnl bufsize to 6144000
19:06:22 suricata: setting queue length to 4096
19:06:22 suricata: binding this thread 2 to queue '2'
19:06:22 suricata: fail-open mode should be set on queue
19:06:22 suricata: NFQ running in 'workers' runmode, will not use mutex.
19:06:22 suricata: setting nfnl bufsize to 6144000
19:06:22 suricata: setting queue length to 4096
19:06:22 suricata: binding this thread 1 to queue '1'
19:06:22 suricata: fail-open mode should be set on queue
19:06:22 suricata: NFQ running in 'workers' runmode, will not use mutex.
19:06:22 suricata: setting nfnl bufsize to 6144000
19:06:22 suricata: setting queue length to 4096
19:06:22 suricata: binding this thread 0 to queue '0'
19:06:22 suricata: Packets will start being processed before signatures are active.
19:06:22 suricata: fast output device (regular) initialized: fast.log
19:06:22 suricata: dropped the caps for main thread
19:06:22 suricata: NFQ running in REPEAT mode with mark 2147483648/2147483648
19:06:22 suricata: Enabling fail-open on queue
19:06:22 suricata: HTTP memcap: 268435456
19:06:22 suricata: CPUs/cores online: 4
19:06:22 suricata: This is Suricata version 5.0.9 RELEASE running in SYSTEM mode
19:06:16 suricata: cleaning up signature grouping structure... complete
19:06:16 suricata: (W-NFQ#3) Verdict: Accepted 2410, Dropped 19, Replaced 0
19:06:16 suricata: (W-NFQ#3) Treated: Pkts 2429, Bytes 1300660, Errors 0
19:06:16 suricata: (W-NFQ#2) Verdict: Accepted 11706, Dropped 2, Replaced 0
19:06:16 suricata: (W-NFQ#2) Treated: Pkts 11708, Bytes 14553787, Errors 0
19:06:16 suricata: (W-NFQ#1) Verdict: Accepted 1543, Dropped 2, Replaced 0
19:06:16 suricata: (W-NFQ#1) Treated: Pkts 1545, Bytes 674807, Errors 0
19:06:16 suricata: (W-NFQ#0) Verdict: Accepted 321906, Dropped 52, Replaced 0
19:06:16 suricata: (W-NFQ#0) Treated: Pkts 321958, Bytes 281880785, Errors 0
19:06:16 suricata: time elapsed 2817.518s
19:06:15 suricata: Signal Received. Stopping engine.
I did not add any custom rule, I only enabled/disabled specific rules in “Customize ruleset”.
I tried a “Force update ruleset” but the issue remains.
What could be wrong here ?
Thanks in advance for your help and your time.