Suricata V3.0 Inline Mode
-
Ok the likely problem is Netmap.
Yes, Netmap and some NIC drivers are misbehaving badly in the kernel at the moment. There are threads in the INSTALL and UPGRADES forum and elsewhere about it. It seems to depend on your exact NIC as to whether or not you have issues. Some folks immediately lose connectivity, for others is takes hours or a few days, and some seem to have no problems.
I believe the pfSense developer team is looking into the Netmap issues. It is probably not a pfSense thing and is instead either an upstream bug in Netmap or FreeBSD.
Bill
-
I look forward to the issue fixed and enableing inline mode in my production environment.
Thanks pfSense developer team and Bill.
-
Was this issue fixed in 2.3.1?
-
or 2.3.2?
-
It works perfectly ;D !!!!!!!
Thanx ! Thanx !Thanx !Thanx !Thanx !Thanx !Thanx !Thanx !Thanx !Thanx !Thanx !Thanx !Thanx !
-
It works perfectly ;D !!!!!!!
Thanx ! Thanx !Thanx !Thanx !Thanx !Thanx !Thanx !Thanx !Thanx !Thanx !Thanx !Thanx !Thanx !
Does hardware offloading still need to be disabled?
-
@bmeeks May i ask if i can use this sample format?
The categories shown below will have all rules changed from "alert" to "drop"
etpro-dns,etpro-botcc,etpro-malware,etpro-tor,etpro-trojan
1:2181,1:2180,1:2016662,1:2008581,1:16282,1:2012247,1:2008585,1:16282,1:2010144,1:2016662,1:2102180,1:2011706,1:2102181
-
@gars1978 said in Suricata V3.0 Inline Mode:
@bmeeks May i ask if i can use this sample format?
The categories shown below will have all rules changed from "alert" to "drop"
etpro-dns,etpro-botcc,etpro-malware,etpro-tor,etpro-trojan
1:2181,1:2180,1:2016662,1:2008581,1:16282,1:2012247,1:2008585,1:16282,1:2010144,1:2016662,1:2102180,1:2011706,1:2102181
Yes, but you will need to note that first sentence as a "comment" by adding a pound sign ("#") at the front of the line.
Otherwise you should be good. I can't 100% remember if the logic will accept the commas between category names, or if it prefers each category to be listed on a separate line. You can try it and see. When you save the change and apply the SID management rules logic, you can check the corresponding log under the LOGS VIEW tab. I believe the log file is called
sid_changes.log(or something similar). In that log Suricata will summarize what actions were taken on SID Management conf files. -
I follow your steps by steps. its a little bit tricky but at the end i think its working. my format in dropsid.conf is:
1:2181,1:2180,1:2016662,1:2008581,1:16282,1:2012247,1:2008585,1:16282,1:2010144,1:2016662,1:2102180,1:2011706,1:2102181
Only...
Those signatures are list of torrents which is very annoying in my network. My neighbor is taking all the bandwidth. And now its fair for all users :)
Thank you very much sir, its a big help for us
FYI: I just enable the Enable Automatic SID State Management
and the SID state order is disable, enable
Drop SID list i select my dropSID.conf
and others selection is none.Im using legacy mode only because my pfsense hang when i select inline mode with checking the tick box Block On DROP Only
Hope it help also for some other people.
-
@bmeeks I honestly don't know why stuff like this isn't enabled from the get go, having to uncomment lines and tweak packages after the fact is a pain, as with all things there never is a baseline which really sucks
-
@spacey said in Suricata V3.0 Inline Mode:
@bmeeks I honestly don't know why stuff like this isn't enabled from the get go, having to uncomment lines and tweak packages after the fact is a pain, as with all things there never is a baseline which really sucks
What are you talking about? What should be enabled "from the get to"?
-
@bmeeks Get go* the sample.conf files shouldn't have #comments and should just be enabled
-
@spacey said in Suricata V3.0 Inline Mode:
@bmeeks Get go* the sample.conf files shouldn't have #comments and should just be enabled
The comments are there to be instructive so the admin can see how to customize their rules. The whole purpose of that tab is to allow customization of rules depending upon the network environment.
I am still not understanding what you are asking for. With an IDS/IPS, there is no one-size-fits-all setup. That's why a lot of experience and knowledge about threats and exposures is required in order to be a qualified IDS/IPS administrator. You pick and choose the rules using knowledge of the specific exposures/vulnerabilities present in your individual network.