Websites no longer reachables

For several weeks some sites are no longer reachable and show DNS errors in the browser; among these also ipfire.org is not reachable.
Only by disabling the IDS are they reachable again.

In Network / Domain Name System only the two Google DNS are activated and are OK.
Previously, the Home Page showed that the two DNS supported DNSSEC. Today I can’t say if there are problems.
I am sure, however, that if I connect to the router’s access point or to a smartphone hotspot I am able to navigate without problems.

I have enabled Intrusion Detect only on the RED network, using all the Talos VRT rules (with the related oinkcode).
I only installed the Guardian, Clamav, Squidclamav, htop, iperf3 plugins. mc.

This is my IPFire.
IPFire 2.25 (x86_64) - core144
Versione Pakfire: 2.25-x86_64
Kernel version: Linux upglabs-fw1.localdomain 4.14.173-ipfire #1 SMP Thu Mar 12 12:07:28 GMT 2020 x86_64 Intel® Celeron® CPU 847 @ 1.10GHz GenuineIntel GNU/Lin

Well that might be the problem. You must not use all of the rules.

How can I select the rules?
In any case, everything is now stopped even with IDS disabled.

Hi,

How can I select the rules?

See: https://wiki.ipfire.org/configuration/firewall/ips

Thanks, and best regards,
Peter Müller

1 Like

I had already read it.
What I was asking is how to choose between the various rules.
I can understand that by not using solaris I can avoid enabling the rules for solaris, but all the others can be potentially useful.

You have to Google it. Snort has ruleset descriptions here:
https://www.snort.org/rules_explanation
It’s up to you to decide what is needed in your environment. Be prepared to test a lot and possibly disable rules that cause too many false positives.

2 Likes

Well that’s the art of OpSec :wink:
it is already written here, I quote:

The more rules which are activated, the more likely you could find an intruder. However more rules means that you are more likely to see false-positive alerts and the more load put on IPFire. If IPFire is under high load, from processing many complex rules, it may affect the performance of your network.

Choosing rulesets and rules requires you to have a good understanding of your network. It is very helpful, but not required, to be familiar with historic security vulnerabilities (especially those which were given fancy names, like Heartbleed and EternalBlue) and aware of penetration testing tools (like [Metasploit](https://en.wikipedia.org/wiki/Metasploit Project)).

Consider professional help in case of doubt.

1 Like

OK, many thanks.
I better document myself using your links.
In the meantime, my entire network is stopped due to problems with DNS and in this case IDS is not responsible because I have already disabled it.

I assume you’ve already tried restarting ipfire? Double-check DNS settings and post a screenshot of your DNS page if you don’t have any luck.

I have also replied in the DNS Broken post,
I tried to change the DNS and obviously to start IPfire again, several times.
This is the screenshot.

please switch to UDP and try again to recheck your DNS servers

@whitetiger @teejay: Please discuss this matter at DNS Status: Broken in order to avoid scattering the same issue across several threats. Thank you.

@pmueller
The broken DNS problem was caused by an incorrect modification by my ISP.
But now that it has been resolved, remains the problem of unreachable domains if IDS is active.
The ipfire.org domain is one of the domains blocked by IDS.

This is the log from when IPFire was powered on to when IDS was disabled in order to write this message.

|09:27:29|suricata:|This is Suricata version 5.0.2 RELEASE running in SYSTEM mode|
|---|---|---|
|09:27:30|suricata:|[ERRCODE: SC_WARN_NO_STATS_LOGGERS(261)] - stats are enabled but no loggers are active|
|09:27:30|suricata:|all 2 packet processing threads, 2 management threads initialized, engine starte d.|
|09:27:30|suricata:|rule reload starting|
|09:27:30|suricata:|[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:on ly; set. Can't have relative keywords around a fast_pattern only content|
|09:27:30|suricata:|[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXT ERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,e stablished; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips d rop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2 eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; class type:trojan-activity; sid:26470; rev:2;)" from file /var/lib/suricata/community. rules at line 2594|
|09:27:30|suricata:|[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:on ly; set. Can't have relative keywords around a fast_pattern only content|
|09:27:30|suricata:|[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOM E_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Bancos fake JPG encrypt ed config file download"; flow:to_server,established; content:".com.br|0D 0A 0D 0A|"; fast_pattern:only; content:"/imagens/"; depth:9; http_uri; content:".jpg"; distance:0; http_uri; pcre:"/\.jpg\x20HTTP\/1\.[01]\r\nUser\x2dAgent\x3a\x20[a- z]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\.br\r\n\r\n$/"; metadata:impact_flag r ed, policy balanced-ips drop, policy security-ips drop, ruleset community, servi ce http; classtype:trojan-activity; sid:26722; rev:1;)" from file /var/lib/suric ata/community.rules at line 2631|
|09:27:30|suricata:|[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:on ly; set. Can't have relative keywords around a fast_pattern only content|
|09:27:30|suricata:|[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOM E_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector var iant outbound connection"; flow:to_server,established; urilen:9; content:"/load. exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B 20|MSI E|20|"; http_header; content:")|0D 0A|Host: "; distance:0; http_header; content: !"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, poli cy security-ips drop, ruleset community, service http; reference:url,urlquery.ne t/search.php?q=%5C%2Fload%5C.exe%24&type=regexp&start=2013-08-24&end=2013-11-22& max=400; reference:url,www.virustotal.com/en/file/032572ea1f34a060ecac98a8e2899d c0f2a41dff199e879050481ddd3818b4d0/analysis/; classtype:trojan-activity; sid:288 07; rev:2;)" from file /var/lib/suricata/community.rules at line 2835|
|09:27:30|suricata:|[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:on ly; set. Can't have relative keywords around a fast_pattern only content|
|09:27:30|suricata:|[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOM E_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos varia nt outbound connection"; flow:to_server,established; content:"Content-Length: 16 6"; content:".php HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: application/x-w ww-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0 |3B| rv:11.0) like Gecko|0D 0A|Host: "; fast_pattern:only; content:"v="; depth:2 ; http_client_body; content:"&c="; within:7; http_client_body; pcre:"/\x3d\x3d$/ P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop , ruleset community, service http; reference:url,www.virustotal.com/en/file/5154 0d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype :trojan-activity; sid:29895; rev:2;)" from file /var/lib/suricata/community.rule s at line 2915|
|09:27:30|suricata:|[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a stic ky buffer still set. Reset sticky buffer with pkt_data before using the modifie r.|
|09:27:30|suricata:|[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXT ERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sodebral HTT P Response attempt"; flow:to_client,established; file_data; isdataat:!193; conte nt:"INTERNACIONAL"; depth:13; content:!"Content-Length"; http_header; content:"T ransfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy balanc ed-ips drop, policy security-ips drop, ruleset community, service http; referenc e:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc6059 1e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32607; rev:2;)" from file /var/lib/suricata/community.rules at line 3109|
|09:27:30|suricata:|[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a stic ky buffer still set. Reset sticky buffer with pkt_data before using the modifie r.|
|09:27:30|suricata:|[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXT ERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sodebral HTT P Response attempt"; flow:to_client,established; file_data; isdataat:!193; conte nt:"BRASIL"; depth:6; content:!"Content-Length"; http_header; content:"Transfer- Encoding: chunked"; http_header; metadata:impact_flag red, policy balanced-ips d rop, policy security-ips drop, ruleset community, service http; reference:url,ww w.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b815 36b9f5ef7/analysis/; classtype:trojan-activity; sid:32608; rev:2;)" from file /v ar/lib/suricata/community.rules at line 3110|
|09:27:30|suricata:|[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:on ly; set. Can't have relative keywords around a fast_pattern only content|
|09:27:30|suricata:|[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOM E_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogge r initial exfiltration attempt"; flow:to_server,established; content:"/gate.php" ; fast_pattern:only; content:"pc="; nocase; http_client_body; content:"&admin="; distance:0; nocase; http_client_body; content:"&os="; distance:0; nocase; http_ client_body; content:"&hid="; distance:0; nocase; http_client_body; content:"&ar c="; distance:0; nocase; http_client_body; content:"User-Agent|3A 20|"; http_hea der; pcre:"/User-Agent\x3a\x20[A-F0-9]{32}\x0d\x0a/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitr e.org/techniques/T1056; reference:url,www.virustotal.com/en/file/77c802db1731fa8 dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtyp e:trojan-activity; sid:38562; r|
|09:27:30|suricata:|[ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 2,=,0,1,relative,l ittle,bitmask 0x8000|
|09:27:30|suricata:|[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba is_known_pipe arbitrary module loa d code execution attempt"; flow:to_server,established; flowbits:isset,smb.tree.c onnect.ipc; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; byte_test:2,=, 0,1,relative,little,bitmask 0x8000; byte_extract:2,72,len,relative,little; conte nt:"/"; within:1; content:"/"; within:len; distance:1; metadata:policy balanced- ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset communit y, service netbios-ssn; reference:cve,2017-7494; reference:url,www.samba.org/sam ba/security/CVE-2017-7494.html; classtype:attempted-user; sid:43004; rev:5;)" fr om file /var/lib/suricata/community.rules at line 3522|
|09:27:30|suricata:|[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:on ly; set. Can't have relative keywords around a fast_pattern only content|
|09:27:30|suricata:|[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOM E_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.OceanLotus o utbound connection attempt"; flow:to_server,established; content:"/sigstore.db?" ; fast_pattern:only; content:"k="; http_uri; content:"?q="; distance:0; http_uri ; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.alienvault.com/blogs/labs-res earch/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash- update; classtype:trojan-activity; sid:45400; rev:1;)" from file /var/lib/surica ta/community.rules at line 3584|
|09:27:31|suricata:|[ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 2,=,1,1,relative,l ittle,bitmask 0x8000|
|09:27:31|suricata:|[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba is_known_pipe arbitrary module loa d code execution attempt"; flow:to_server,established; flowbits:isset,smb.tree.c onnect.ipc; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; byte_test:2,=, 1,1,relative,little,bitmask 0x8000; byte_extract:2,72,len,relative,little; conte nt:"/"; within:2; content:"/"; within:len; distance:2; metadata:policy balanced- ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset communit y, service netbios-ssn; reference:cve,2017-7494; reference:url,www.samba.org/sam ba/security/CVE-2017-7494.html; classtype:attempted-user; sid:49090; rev:1;)" fr om file /var/lib/suricata/community.rules at line 3861|
|09:27:31|suricata:|[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:on ly; set. Can't have relative keywords around a fast_pattern only content|
|09:27:31|suricata:|[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXT ERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Citrix ADC and Gatewa y arbitrary code execution attempt"; flow:to_server,established; content:"/vpns/ "; fast_pattern:only; content:"NSC_USER:"; http_raw_header; content:"../"; withi n:10; http_raw_header; metadata:policy balanced-ips drop, policy connectivity-ip s drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2019-19781; reference:url,support.citrix.com/articl e/CTX267027; classtype:web-application-attack; sid:52620; rev:1;)" from file /va r/lib/suricata/community.rules at line 3927|
|09:27:31|suricata:|[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.jar' is checked but not set. Che cked in 27085 and 0 other sigs|
|09:27:31|suricata:|[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.zip' is checked but not set. Che cked in 30567 and 0 other sigs|
|09:27:31|suricata:|[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'qlogic_default_ftp' is checked but no t set. Checked in 31830 and 0 other sigs|
|09:27:31|suricata:|[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'hawk.lgr' is checked but not set. Che cked in 33222 and 1 other sigs|
|09:27:31|suricata:|[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.rtf' is checked but not set. Che cked in 38580 and 5 other sigs|
|09:27:31|suricata:|[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.ole' is checked but not set. Che cked in 46436 and 3 other sigs|
|09:27:36|suricata:|rule reload complete|
|09:27:36|suricata:|Signature(s) loaded, Detect thread(s) activated.|
|10:19:08|suricata:|Signal Received. Stopping engine.|
|10:19:09|suricata:|(W-NFQ#0) Treated: Pkts 78287, Bytes 19897780, Errors 0|
|10:19:09|suricata:|(W-NFQ#0) Verdict: Accepted 75117, Dropped 3170, Replaced 0|
|10:19:09|suricata:|(W-NFQ#1) Treated: Pkts 36794, Bytes 2550250, Errors 0|
|10:19:09|suricata:|(W-NFQ#1) Verdict: Accepted 36684, Dropped 110, Replaced 0|

@pmueller
I’m doing a configuration and I’m having problems.
Perhaps they are all separate problems for which separate threads should be opened.
Or maybe they are all related problems.
How should I behave?

  1. IDS blocks me some domains.
  2. There are errors with DDNS
  3. The OpenVPN connection works if I launch it from the network, but not if I connect via hotspot

Hi,

the Suricata log lines indicate your IPS ruleset is damaged. Could you try
using the Emerging Threats (community) one? From my own experience, this should
at least work.

If so, do the DNS problems reappear?

  1. IDS blocks me some domains.
  2. There are errors with DDNS
  3. The OpenVPN connection works if I launch it from the network, but not if I connect via hotspot

Those are likely caused by the IPS startup problem.

Thanks, and best regards,
Peter Müller

@pmueller
Since some weeks, the IDS behavior has been very strange.
Some websites are perfectly accessible; others, like ipfire.org or vmware.com, are sometimes reachable and sometimes not.
I have already tried different combinations of IDS configurations.
Activated with the rules from Talos VRT, first, Snort VRT, then and now from Emerging Threads.
I activated them with all the rules, only a few of them or without activating rules.
In all these cases the “sometimes yes, sometimes no” behavior was repeated.
The same hostname on the DDNS page is sometimes shown in red and other times in green.
The only way to avoid blocking is to disable IDS completely.
But this is the only thing I can’t do during lockdown and smart working from home.

I have to activate some services.
Right now I can also do without blocking porn sites, but I can’t do without OpenVPN, DDNS, access to websites in the DMZ, and of course protection from unauthorized access.

I have already asked my ISP if there are no other blocks, but if they tell me that there are none, am I obliged to investigate what is going on in IPfire?

Do I have to try to delete everything and install it again?
If it is the only way forward I do it without arguing.

Hi,

the problem with switching between IDS rule sources is that old ones are not
deleted (as far as I am aware, unless @stevee changed this :wink: ).

Not sure if this works, but as a brute-force attempt, the following command
deletes all downloaded rulesets:

rm -f /var/lib/suricata/*

You need to download the desired source from the WUI again. Could you try
Emerging Threats this time? It’s what I use, and I am not aware of DNS issues.

Thanks, and best regards,
Peter Müller

I am relaunching this thread.
Throughout the month of May, I “solved” the problem by connecting directly to the router’s Access Point whenever a site was unreachable. Which happened dozens of times a day.

I have tried the command suggested by @pmueller
I am using Emerging Threads Community with only the “emerging-malware.rules” option enabled.
I have tried all combinations of DNS, using only those from Google.
Now I’m Working (Recursor Mode).

The problem is always the same.

I also renew the request for suggestions on how to test, for example using commands on ipfire or from Linux.

So, I can’t bring this Firewall into production.
Even retrying the installation would be an unsatisfactory option because the updates saved with the Update Accelerator would be lost.
But if it’s the last chance, OK. I do the installation again.

I don’t use Update Accelerator, but it is saving updates, probably somewhere in /var. You should be able to scp or rsync those to a USB stick, then reinstall.

Well, if you want to test DNS, you might use dig soa example.com or similar tools.