Results 1 to 9 of 9
  1. #1
    Untangler
    Join Date
    Oct 2017
    Posts
    39

    Default I know I shouldn't have done it

    But I did. After reading a few recent posts about Intrusion Prevention (even after seeing sky-knights recent posts on the topic) I decided to Enable it out of curiosity and see how many events were logged. I watched the webcast on Intrusion Prevention to get an idea of what to expect.
    All rules and all signatures are at their default setting and I'm running the very latest 15.1 release build.

    My first expectation was that the Blocked Events report would be empty - but it isn't. I'm seeing entries in there from different devices on my LAN to external destinations. Mostly from Windows 10 devices but also from my wife's iPad. Most of the entries come in pairs one with Sid 2210045 followed immediately by 2210046. I'm assuming based on the description of these signatures that its down to poor termination of TCP sessions, so no big deal. However I'm puzzled as to why these packets are being blocked by Intrusion Prevention or at least being reported as blocked as both the recommended action and rule action is to log.

    Anyone any ideas?

    I'm also seeing a very occasional blocked entry with an sid of 10001 but the Category, ClassType, Message and Rule Id fields are all empty. These entries are again from a device on my LAN to external IP addresses.

    Any insight on that one?

    Thanks
    Mike

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,304

    Default

    The rules tab has various rules in the list. There are two that report Enable Block. The module doesn't block anything unless one of those two rules are enabled.

    At least... it's not supposed to. I'm seeing the same two signatures you are in my block log as well though.
    Last edited by sky-knight; 08-30-2020 at 01:40 PM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Untangler
    Join Date
    Oct 2017
    Posts
    39

    Default

    Quote Originally Posted by sky-knight View Post
    The rules tab has various rules in the list. There are two that report Enable Block. The module doesn't block anything unless one of those two rules are enabled.

    At least... it's not supposed to. I'm seeing the same two signatures you are in my block log as well though.
    I donít have either of those rules enabled. The only rules enabled are the 3 memory related rules which are enabled by default.

    When I first enabled IP last week I was still running an earlier 15.1 build. If I look at the logs from before installing the latest build I was seeing hundreds of 10001 errors. I remember looking at the signatures and saw that 10001 errors were blocked by default. But since the update I canít find any record of that signature

  4. #4
    Untangler
    Join Date
    Oct 2017
    Posts
    39

    Default

    I found the source of most of the TCP frames that are being blocked by Intrusion Prevention. I have the free version of CCleaner installed on my Windows systems. There is a scheduled task that runs each day to check for updates and it is that task that correlates to the blocked packets.

    I disabled the task and I'm no longer getting entries in the blocked report.

    I ran a Wireshark capture running the update task manually and I again got the same 2 blocked packets in the IP report. The update process continues to run so I'm not sure if the packets are actually being blocked or they are erroneously reported as being blocked.

    I cannot see anything amiss in the Wireshark trace. There are 3 open sessions that are all closed at the same time using a RST,ACK frame. The other 2 are not blocked. Here is a copy of the 5 messages that are exchanged after the session is established. Can anyone see what the problem is?

    23 12:30:20.573054 192.168.1.99 23.43.56.203 HTTP 224 HEAD /files/emupdate/pong.txt HTTP/1.1
    24 12:30:20.574434 23.43.56.203 192.168.1.99 TCP 60 80 → 58050 [ACK] Seq=1 Ack=171 Win=64128 Len=0
    25 12:30:20.593838 23.43.56.203 192.168.1.99 HTTP 282 HTTP/1.1 200 OK
    35 12:30:20.634410 192.168.1.99 23.43.56.203 TCP 54 58050 → 80 [ACK] Seq=171 Ack=229 Win=131072 Len=0
    46 12:30:20.706338 192.168.1.99 23.43.56.203 TCP 54 58050 → 80 [RST, ACK] Seq=171 Ack=229 Win=0 Len=0

    I think the TCP ack (message #35) results in the signature id 2210045 block and the RST ACK in the 2210046 block but I could be wrong as the report lists the 2210046 block prior to the 2210045 (I am assuming the most recent event is at the top of the report).

    2020-09-02 12:30:20 pm 2210045 1 26 192.168.1.99 58050 23.43.56.203 80 TCP [6] events protocol-command-decode SURICATA STREAM Packet with invalid ack reserved_default_3

    2020-09-02 12:30:20 pm 2210046 1 26 192.168.1.99 58050 23.43.56.203 80 TCP [6] events protocol-command-decode
    SURICATA STREAM SHUTDOWN RST invalid ack reserved_default_3

  5. #5
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,799

    Default

    That explains a lot. CCleaner once served a purpose, but (IMO) in modern Windows it does more harm than good.
    Jim.Alles likes this.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 15.1.0 to protect 500Mbits for ~450 residential college students and associated staff and faculty

  6. #6
    Untangler
    Join Date
    Oct 2017
    Posts
    39

    Default

    I agree with you about CCleaner it has outlived its usefulness. However that still doesn't explain what is going on with Intrusion Prevention. Can someone on the Untangle staff answer the following questions for me:

    1. Is Intrusion Prevention supposed to be scanning outgoing packets as well as inbound? Its name would imply not.
    2. Why are these packets being blocked when the signature rules and recommended action clearly state "log"?
    3. Are these packets actually being blocked or is it an error in logging that is saying they are blocked but in actuality not?

    Thanks
    Mike

  7. #7
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,799

    Default

    I haven't used Intrusion Prevention yet myself, so I can't speak to 2 or 3. But for #1, Untangle apps scan anything that moves through Untangle's UVM.

    Often, Untangle installations will have an DMZ in addition to WAN and LAN (especially the kinds of Untangle deployments likely to use Intrusion Prevention), and this allows the module to protect DMZ servers against local traffic (which may often include a public "guest" network). It's also great for finding compromised clients on your local network.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 15.1.0 to protect 500Mbits for ~450 residential college students and associated staff and faculty

  8. #8
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,304

    Default

    1.) All Untangle modules, unless otherwise specified are directionally agnostic. Intrusion Prevention is no exception, it scans all traffic.
    2.) Need more detail, but I'm seeing some similar behavior on my Intrusion Prevention module, blocks being reported when I don't have any signatures enabled that are supposed to block.
    3.) Very possible, but unknown.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  9. #9
    Untangler
    Join Date
    Oct 2017
    Posts
    39

    Default

    Thanks for the confirmation on question 1 and the Use Case description.
    Guess we need to wait and see if one of the Untangle employees will chime in on questions 2 & 3. But it's nice to know I'm not the only one seeing blocked packets being reported.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2