@johnnybee I have the same question. Please share with me if you have the answer. Thanks in advance.

@bmeeks was hoping there was some…trickery. But alas it’s reading the IP header so not much can be done

@bmeeks Thanks Bill.

The only way to accomplish that would be to rewrite all the rules and reverse the direction logic. That's a lot of work.

@bmeeks Ah, that is right. I might have gotten confused with that field. It does work omitting the content section. I appreciate your help!

@pfsjap said in Suricata inline mode with Netgate 6100: Wasn't a driver issue after all. MTU of this interface was 9000 and netmap buffer size (dev.netmap.buf_size) was 2048 (default). After setting buffer size to 9100, Suricata started in inline mode. Found this tunable in here. Ah! Good detective work. The error message certainly was not helpful in this instance. It could have said "out of memory" or "insufficent buffer size" you would think. This error comes from the netmap device code within FreeBSD and has nothing to do with Suricata's use of netmap. Not many folks are using MTU sizes larger than 1500, though.

@bmeeks Thank you, Mr. Meeks.

@Dobby_ Good idea. I do have two 8GB RP4B's just sitting around doing nothing. I was using those for Pi-hole before switching to pfBlockerNG.

@the-other I got pfblockerng installed... are there preloaded p2p blocklists or is this something I need to create myself?

@bmeeks I meant to update this thread before your response. Beat me to the punch. My misunderstanding is really how to work with the GUI in regards to IPS/IDS. Some of the elements aren't exactly clear so it did require poking through several threads here to understand how the pieces work.

@jpgpi250 I usually turn off rules here...see arrow in Emerging DNS... [image: 1685541192483-screenshot-2023-05-31-at-8.47.49-am-resized.png]

May 27 16:02:49 kernel pid 38637 (snort), jid 0, uid 0, was killed: failed to reclaim memory May 27 16:02:49 kernel pid 38637 (snort), jid 0, uid 0, was killed: failed to reclaim memory Can be pointed to the storage space and/or the amount of ram.

@ASGR71 Yes but to be fair 98% of them don’t have any inbound ports forwarding. Some for games or uPnP I suppose. Sine I don’t see I mentioned it above, if one runs Snort or Suricata on WAN, that runs outside the firewall so will block all sorts of things that would get blocked anyway. Running it on LAN avoids a lot of scanning plus will show internal IPs in the alerts.

@Bob-Dig said in Suricata Inline Mode with WireGuard interface?: Is it a good or a bad idea? Interesting question, indeed. One would need a dedicated NIC since one needs Netmap. I was thinking the other day wondering how to assign a NIC to Wireguard...that's how far I got.

@SteveITS I'm an idiot, was pinging from the wrong firewall! It is indeed blocking. Sorry. I'll delete my post.

@bmeeks Thanks for this precise description. OK reverted to scanning LAN ;)

@yet_learningpfsense Also if you’re running Suricata on WAN I’d recommend putting it on LAN. Otherwise it scans outside the firewall so scans all inbound to-be-blocked packets and can only see the NATted IP not LAN devices.

@steveits pfsense restart