Real-time monitor: accept firewall rules with log enabled counted as Blocked Threat

[francio87]

Steps to reproduce

• Enable BanIP
• Create a firewall rule of type Accept with logging enabled for ICMP protocol, allowing traffic from LAN to WAN.
• Execute a ping command from a machine within the network to a public IP.

Expected behavior

The log entries for the allowed traffic are properly recorded in /var/log/messages but not categorized as security threats in the real-time monitor

Actual behavior

The packets are written in the /var/log/messages :

Feb 13 18:00:22 fw-ldg kernel: [780449.208045] log-ping: IN=br-lan OUT=eth1 MAC=bc:24:11:7b:39:c4:04:2b:58:03:cd:36:08:00 SRC=192.168.110.50 DST=1.1.1.1 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=11213 DF PROTO=ICMP TYPE=8 CODE=0 ID=7907 SEQ=1
Feb 13 18:00:24 fw-ldg kernel: [780451.842337] log-ping: IN=br-lan OUT=eth1 MAC=bc:24:11:7b:39:c4:04:2b:58:03:cd:36:08:00 SRC=192.168.110.50 DST=1.1.1.1 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=12013 DF PROTO=ICMP TYPE=8 CODE=0 ID=7910 SEQ=1
Feb 13 18:00:47 fw-ldg kernel: [780474.110908] log-ping: IN=br-lan OUT=eth1 MAC=bc:24:11:7b:39:c4:04:2b:58:03:cd:36:08:00 SRC=192.168.110.50 DST=1.1.1.1 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=30032 DF PROTO=ICMP TYPE=8 CODE=0 ID=7990 SEQ=1
Feb 13 18:00:48 fw-ldg kernel: [780475.355413] log-ping: IN=br-lan OUT=eth1 MAC=bc:24:11:7b:39:c4:04:2b:58:03:cd:36:08:00 SRC=192.168.110.50 DST=1.1.1.1 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=30191 DF PROTO=ICMP TYPE=8 CODE=0 ID=7991 SEQ=1

The issue shows in the real-time monitor under the "security" section and increments the count for "Blocked threats."

root@fw-ldg:~# cat /tmp/ns.report/tsip-malware-report.json | jq '.malware_by_hour[] | select(.[0] == 18)'
[
  18,
  4
]

Components NethSecurity version: 8-23.05.5-ns.1.4.1

See also

• https://mattermost.nethesis.it/nethesis/pl/u758tffqnin3b8zewmm1csfb8r
• https://helpdesk.nethesis.it/a/tickets/185907

• nethsecurity/packages/ns-api/files/ns.report

  Line 94 in da2a652

  keywords = ['kernel', 'banIP/.*/drop', 'banIP/.*/reject']

[Tbaile]

Image

Check the issue is not reproducible

[francio87]

Confirm fixed, logs are properly recorded in /var/log/messages

Mar  5 12:21:24 nsec8-vm kernel: [ 1720.118171] log-icmp: IN=br-lan OUT=eth1 MAC=52:54:00:6e:2c:b3:52:54:00:f3:f6:fb:08:00 SRC=10.20.30.105 DST=216.58.204.227 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=63108 DF PROTO=ICMP TYPE=8 CODE=0 ID=569 SEQ=1 

and correctly not counted as a threat:

root@nsec8-vm:~# cat /tmp/ns.report/tsip-malware-report.json 
{"first_seen": 0, "malware_count": 0, "malware_by_hour": [[0, 0], [1, 0], [2, 0], [3, 0], [4, 0], [5, 0], [6, 0], [7, 0], [8, 0], [9, 0], [10, 0], [11, 0], [12, 0], [13, 0], [14, 0], [15, 0], [16, 0], [17, 0], [18, 0], [19, 0], [20, 0], [21, 0], [22, 0], [23, 0]], "malware_by_category": {}, "malware_by_chain": {}}