Suricata & P2P Blocking - Working but would like to fine tune.
-
EDIT: I should have mentioned that we also tried to change the block to DST. That seems to work for most peers on a P2P download, but there are always a handful that never get blocked and the download eventually finishes. I suppose because the encrypted connection gets established before the block??
-
If you have hardware that supports Inline IPS Mode, that will work better as it drops individual packets (P2P, for example) without blocking the entire IP address. The Suricata package will let you know whether or not your hardware supports Inline IPS Mode when you attempt to enable it and save the change.
Also note that using that mode, you must manually change the action of the rules you want to block traffic from their default of ALERT to DROP. You can most easily do that by using the features described on the SID MGMT tab. Look at the example
*.conf
files there to see how that works. -
@bmeeks thanks. I played around with that today with some not great results. I adjusted our testing vlan and enabled Inline IPS. (we have Intel x540-at2 NICs in the server which are on the supported list and the GUI didn't complain) Within seconds all clients across all vlans on the server stopped functioning. All our lan segments are vlans off one of the x540 NICs and after digging a little I found a couple of posts saying that inline mode doesn't work well with single NICs that have multiple vlans assigned. Is that the case and the issue that I likely ran into? Or was it that there was a mix of Legacy and Inline on the same NIC, but diff vlans?
-
To expand a bit... all offloading settings for the NIC are disabled per recommendations and Run Mode was set to Workers. New clients could not get a DHCP address, those with existing or even fixed addresses could not ping the gateway across all vlans. As soon as I disabled the interface with Inline enabled, things came back to life on the other interfaces within a minute or so.
-
Yes, VLANs and Inline IPS Mode do not play well due to limitations with how the kernel's netmap device works with VLANs. You can have some luck by running a single Suricata instance on the physical parent interface instead of multiple instances on each VLAN.
So, for example, if your VLANs were
ix0.100, ix0.200, ix0.300
, then you would configure a single Suricata instance onix0
. -
@bmeeks Unless I'm missing something, it does not appear that you can assign Suricata to the parent interface when things are vlan’d. It's not an option in the drop down list as things are normally configured with vlans.
If I add the parent ix1 interface as an assignment within pfSense itself (with or without giving it an actual IP address), then all the vlans on that interface stop functioning. Doesn’t matter if the interface is enabled or disabled in the pfSense UI. As soon as I delete the assignment on the parent interface, all the vlans start working again.
-
@PalisadesTahoe said in Suricata & P2P Blocking - Working but would like to fine tune.:
@bmeeks Unless I'm missing something, it does not appear that you can assign Suricata to the parent interface when things are vlan’d. It's not an option in the drop down list as things are normally configured with vlans.
If I add the parent ix1 interface as an assignment within pfSense itself (with or without giving it an actual IP address), then all the vlans on that interface stop functioning. Doesn’t matter if the interface is enabled or disabled in the pfSense UI. As soon as I delete the assignment on the parent interface, all the vlans start working again.
Hmm... currently I do not have an environment where I can test VLAN connectivity with Suricata.
One issue that currently exists in FreeBSD is that the netmap kernel device cannot properly parse interface names with the VLAN ID suffix added. So, for example, the call to open a netmap instance on an interface named
ix1.897
would fail because the netmap parser treats the period as a reserved special character and rejects it as part of a valid interface name. There was an update to the netmap device upstream about two weeks ago that fixes this, but that update is not in either of the current pfSense RELEASE editions (it's not in CE nor Plus). It should be in the next pfSense release (which currently looks like it will be 24.03 for Plus).When I first replied to your post I was remembering more how Snort works than Suricata. After going back and refreshing my memory by examining the Suricata GUI package code, I remembered that the GUI code automatically strips out the VLAN IDs and attempts to run the instance on the physical parent instead. That worked when I tested it quite some time in the past. But it appears to be failing in your case -- likely because there is no instance of the physical interface active.
VLANs and Inline IPS Mode are more or less incompatible. While it can work in some limited ways sometimes with certain NIC drivers, it is not reliable. Inline IPS Mode works best on plain vanilla interfaces. That means no VLANs, no Bridges, and no LAGGs. VLANs, Bridges, and LAGGs are all types of virtual interfaces in FreeBSD. Netmap wants to work with physical interfaces only. It is very cantankerous with virtual interfaces.
-
I have a DMZ interface thats on a trunk(tagged) port on the firewall. I cant use Inline for this but i do want that additional visability. Can i run Suricata on IDS mode then on this trunked interface? What about IPS? Can i use legacy and it work ?
-
@michmoor said in Suricata & P2P Blocking - Working but would like to fine tune.:
I have a DMZ interface thats on a trunk(tagged) port on the firewall. I cant use Inline for this but i do want that additional visability. Can i run Suricata on IDS mode then on this trunked interface? What about IPS? Can i use legacy and it work ?
Legacy Mode should work fine. It uses the PCAP library, and that library is happy with virtual interfaces (or physical ones). It is only netmap that is picky, but Inline IPS requires netmap to function. Legacy Mode does not need netmap as it uses
pf
itself to implement blocks by adding IP addresses to a pre-existingpf
table.The trade-off is Legacy Mode blocks an IP entirely (once blocked, all traffic to/from that IP is blocked). Inline IPS Mode can selectively drop individual packets without needing to block the IP entirely.
-
@bmeeks
Thanks for clearing that up. Im bookmarking your comment.
This has been a confusing one for me. What works what doesnt and when should you apply, etc..
Really appreciate it -
@bmeeks said in Suricata & P2P Blocking - Working but would like to fine tune.:
VLANs and Inline IPS Mode are more or less incompatible.
That seals the deal then. Until we put 8 more nic's into this server, I guess we're blocking hosts and not packets. Thanks again for the detailed info and prompt replies.
-
@PalisadesTahoe said in Suricata & P2P Blocking - Working but would like to fine tune.:
@bmeeks said in Suricata & P2P Blocking - Working but would like to fine tune.:
VLANs and Inline IPS Mode are more or less incompatible.
That seals the deal then. Until we put 8 more nic's into this server, I guess we're blocking hosts and not packets. Thanks again for the detailed info and prompt replies.
That is likely the best option for now - at least until the netmap device can at least open VLAN interfaces properly. Here is the upstream FreeBSD commit I referred to earlier: https://github.com/pfsense/FreeBSD-src/commit/ad874544d9f018bf8eef4053b5ca7b856c4674cb. This went into FreeBSD about two weeks ago, and recently got merged into the development branch of pfSense. That's why it should be available in the next production release.
A good bit of netmap device improvement has come from the OPNsense team with the assistance of the Sunny Valley and Klara folks as well. As they roll fixes into FreeBSD, they get inherited into pfSense when the Netgate team merges the updated kernel code.
-
Hi @bmeeks,
Sorry to hijack an old thread, but quick question. We're about to build a new pfSense server for similar use and plan on using Suricata again. I'm curious what 10G network adapters you would recommend so that we could enable inline IPS? Are we OK sticking with the Intel x540-AT2 adapters that we have in our current server now that the netmap patch mentioned has been committed into the FreeBSD code?
Thanks! -
@PalisadesTahoe said in Suricata & P2P Blocking - Working but would like to fine tune.:
Hi @bmeeks,
Sorry to hijack an old thread, but quick question. We're about to build a new pfSense server for similar use and plan on using Suricata again. I'm curious what 10G network adapters you would recommend so that we could enable inline IPS? Are we OK sticking with the Intel x540-AT2 adapters that we have in our current server now that the netmap patch mentioned has been committed into the FreeBSD code?
Thanks!Sorry, but I have no knowledge of 10G NICs. My guess is that support in FreeBSD will be hit or miss, especially where netmap is concerned.
There are far more high-speed Suricata deployments on Linux platforms than there are on FreeBSD. The upstream Suricata team does rather extensive testing and benchmarking on Linux. All they do for FreeBSD is make sure the code compiles. They do no performance testing/optimization on FreeBSD that I am aware of.
If I were considering a true 10G deployment of IDS/IPS, then I would use a separate hardware platform running a current Linux variant and configure Suricata using the applicable Deb/RPM package for the chosen Linux distro. Suricata on pfSense is going to always use the host rings interface, and that is inherently slower than direct hardware interfaces. When you run separate dedicated IDS/IPS hardware, you can utilize two separate NICs for input and output traffic without need of host rings.
-
@bmeeks Thanks. We're kind of stuck on fBSD since it's the backend of pfSense at the moment.
-
@PalisadesTahoe said in Suricata & P2P Blocking - Working but would like to fine tune.:
@bmeeks Thanks. We're kind of stuck on fBSD since it's the backend of pfSense at the moment.
I don't think you will get anywhere near 10G performance using IDS/IPS with pfSense right now. The use of the host rings interface with netmap is just not capable of that.
What I'm talking about is a completely separate box sitting between your LAN and the pfSense interface, or between pfSense and your WAN connection. A true dual-port NIC hardware device similar to the old Sourcefire IPS appliance.
Something similar to this, but built with your own hardware: https://www.cisco.com/c/en/us/support/security/firepower-8000-series-appliances/series.html. The network traffic goes in one NIC port and comes out of another (matching NIC port pairs for each traffic path) similar to a bridge. With enough CPU and RAM, that type of arrangement can easily hit 10G throughput.
-
Quick update for anyone that might stumble on this later. New server, same results:
- pfSense+ 24.11-RELEASE
- FreeBSD 15.0-CURRENT
- Suricata 7.0.7_5
- NICs are Broadcom BCM57414 (bnxt0) instead of Intel this time
- Everything else same as above in original post
New server is still utilizing VLANs. If I put blocking into INLINE mode all the vlans on the affected NIC stop responding until server is rebooted. Might be a way to get things back to life, but I didn't spend a lot of time troubleshooting. Disabling Suricata on the interface and disabling/enabling the interface(s) have no affect. I checked on the linked netmap bug and it seems like it was committed and should have trickled into the fBSD code base by now.
Here's the Suricata log from an attempt with INLINE enabled.
[101616 - Suricata-Main] 2024-12-06 11:06:52 Notice: suricata: This is Suricata version 7.0.7 RELEASE running in SYSTEM mode [101616 - Suricata-Main] 2024-12-06 11:06:52 Info: cpu: CPUs/cores online: 24 [101616 - Suricata-Main] 2024-12-06 11:06:52 Info: netmap: Netmap: Setting IPS mode [101616 - Suricata-Main] 2024-12-06 11:06:52 Info: app-layer-htp-mem: HTTP memcap: 67108864 [100691 - Suricata-Main] 2024-12-06 11:06:52 Info: logopenfile: fast output device (regular) initialized: alerts.log [100691 - Suricata-Main] 2024-12-06 11:06:52 Info: alert-syslog: Syslog output initialized [100691 - Suricata-Main] 2024-12-06 11:06:52 Info: logopenfile: eve-log output device (regular) initialized: eve.json [100691 - Suricata-Main] 2024-12-06 11:06:52 Info: detect: 1 rule files processed. 33 rules successfully loaded, 0 rules failed, 0 [100691 - Suricata-Main] 2024-12-06 11:06:52 Info: threshold-config: Threshold config parsed: 0 rule(s) found [100691 - Suricata-Main] 2024-12-06 11:06:52 Info: detect: 33 signatures processed. 0 are IP-only rules, 14 are inspecting packet payload, 19 inspect application layer, 0 are decoder event only [100691 - Suricata-Main] 2024-12-06 11:06:52 Perf: detect: TCP toserver: 8 port groups, 5 unique SGH's, 3 copies [100691 - Suricata-Main] 2024-12-06 11:06:52 Perf: detect: TCP toclient: 2 port groups, 2 unique SGH's, 0 copies [100691 - Suricata-Main] 2024-12-06 11:06:52 Perf: detect: UDP toserver: 3 port groups, 2 unique SGH's, 1 copies [100691 - Suricata-Main] 2024-12-06 11:06:52 Perf: detect: UDP toclient: 1 port groups, 1 unique SGH's, 0 copies [100691 - Suricata-Main] 2024-12-06 11:06:52 Perf: detect: OTHER toserver: 0 proto groups, 0 unique SGH's, 0 copies [100691 - Suricata-Main] 2024-12-06 11:06:52 Perf: detect: OTHER toclient: 0 proto groups, 0 unique SGH's, 0 copies [100691 - Suricata-Main] 2024-12-06 11:06:52 Perf: detect: Unique rule groups: 10 [100691 - Suricata-Main] 2024-12-06 11:06:52 Perf: detect: Builtin MPM "toserver TCP packet": 3 [100691 - Suricata-Main] 2024-12-06 11:06:52 Perf: detect: Builtin MPM "toclient TCP packet": 2 [100691 - Suricata-Main] 2024-12-06 11:06:52 Perf: detect: Builtin MPM "toserver TCP stream": 4 [100691 - Suricata-Main] 2024-12-06 11:06:52 Perf: detect: Builtin MPM "toclient TCP stream": 1 [100691 - Suricata-Main] 2024-12-06 11:06:52 Perf: detect: Builtin MPM "toserver UDP packet": 2 [100691 - Suricata-Main] 2024-12-06 11:06:52 Perf: detect: Builtin MPM "toclient UDP packet": 1 [100691 - Suricata-Main] 2024-12-06 11:06:52 Perf: detect: Builtin MPM "other IP packet": 0 [100691 - Suricata-Main] 2024-12-06 11:06:52 Perf: detect: AppLayer MPM "toserver http_uri (http)": 2 [100691 - Suricata-Main] 2024-12-06 11:06:52 Perf: detect: AppLayer MPM "toserver http_uri (http2)": 2 [100691 - Suricata-Main] 2024-12-06 11:06:52 Perf: detect: AppLayer MPM "toserver http_user_agent (http)": 2 [100691 - Suricata-Main] 2024-12-06 11:06:52 Perf: detect: AppLayer MPM "toserver http_user_agent (http2)": 2 [100691 - Suricata-Main] 2024-12-06 11:06:52 Perf: netmap: bnxt0: using 12 threads [100691 - Suricata-Main] 2024-12-06 11:06:52 Info: runmodes: bnxt0: creating 12 threads [103571 - W#01-bnxt0] 2024-12-06 11:06:52 Info: netmap: netmap:bnxt0-0/R@conf:host-rings=12: bnxt0 opened [fd: 8] [103571 - W#01-bnxt0] 2024-12-06 11:06:52 Info: netmap: netmap:bnxt0^0/T@conf:host-rings=12: bnxt0^ opened [fd: 9] [103622 - W#02-bnxt0] 2024-12-06 11:06:52 Info: netmap: netmap:bnxt0-1/R: bnxt0 opened [fd: 10] [103622 - W#02-bnxt0] 2024-12-06 11:06:52 Info: netmap: netmap:bnxt0^1/T: bnxt0^ opened [fd: 11] [103623 - W#03-bnxt0] 2024-12-06 11:06:52 Info: netmap: netmap:bnxt0-2/R: bnxt0 opened [fd: 12] [103623 - W#03-bnxt0] 2024-12-06 11:06:53 Info: netmap: netmap:bnxt0^2/T: bnxt0^ opened [fd: 13] [103624 - W#04-bnxt0] 2024-12-06 11:06:53 Info: netmap: netmap:bnxt0-3/R: bnxt0 opened [fd: 14] [103624 - W#04-bnxt0] 2024-12-06 11:06:53 Info: netmap: netmap:bnxt0^3/T: bnxt0^ opened [fd: 15] [103625 - W#05-bnxt0] 2024-12-06 11:06:53 Info: netmap: netmap:bnxt0-4/R: bnxt0 opened [fd: 16] [103625 - W#05-bnxt0] 2024-12-06 11:06:53 Info: netmap: netmap:bnxt0^4/T: bnxt0^ opened [fd: 17] [103626 - W#06-bnxt0] 2024-12-06 11:06:53 Info: netmap: netmap:bnxt0-5/R: bnxt0 opened [fd: 18] [103626 - W#06-bnxt0] 2024-12-06 11:06:53 Info: netmap: netmap:bnxt0^5/T: bnxt0^ opened [fd: 19] [103627 - W#07-bnxt0] 2024-12-06 11:06:53 Info: netmap: netmap:bnxt0-6/R: bnxt0 opened [fd: 20] [103627 - W#07-bnxt0] 2024-12-06 11:06:54 Info: netmap: netmap:bnxt0^6/T: bnxt0^ opened [fd: 21] [103629 - W#08-bnxt0] 2024-12-06 11:06:54 Info: netmap: netmap:bnxt0-7/R: bnxt0 opened [fd: 22] [103629 - W#08-bnxt0] 2024-12-06 11:06:54 Info: netmap: netmap:bnxt0^7/T: bnxt0^ opened [fd: 23] [103630 - W#09-bnxt0] 2024-12-06 11:06:54 Info: netmap: netmap:bnxt0-8/R: bnxt0 opened [fd: 24] [103630 - W#09-bnxt0] 2024-12-06 11:06:54 Info: netmap: netmap:bnxt0^8/T: bnxt0^ opened [fd: 25] [103631 - W#10-bnxt0] 2024-12-06 11:06:54 Info: netmap: netmap:bnxt0-9/R: bnxt0 opened [fd: 26] [103631 - W#10-bnxt0] 2024-12-06 11:06:54 Info: netmap: netmap:bnxt0^9/T: bnxt0^ opened [fd: 27] [103632 - W#11-bnxt0] 2024-12-06 11:06:54 Info: netmap: netmap:bnxt0-10/R: bnxt0 opened [fd: 28] [103632 - W#11-bnxt0] 2024-12-06 11:06:55 Info: netmap: netmap:bnxt0^10/T: bnxt0^ opened [fd: 29] [103633 - W#12-bnxt0] 2024-12-06 11:06:55 Info: netmap: netmap:bnxt0-11/R: bnxt0 opened [fd: 30] [103633 - W#12-bnxt0] 2024-12-06 11:06:55 Info: netmap: netmap:bnxt0^11/T: bnxt0^ opened [fd: 31] [100691 - Suricata-Main] 2024-12-06 11:06:55 Perf: netmap: bnxt0^: using 12 threads [100691 - Suricata-Main] 2024-12-06 11:06:55 Info: runmodes: bnxt0^: creating 12 threads [103634 - W#01-bnxt0^] 2024-12-06 11:06:55 Info: netmap: netmap:bnxt0^0/R@conf:host-rings=12: bnxt0^ opened [fd: 32] [103634 - W#01-bnxt0^] 2024-12-06 11:06:55 Info: netmap: netmap:bnxt0-0/T@conf:host-rings=12: bnxt0 opened [fd: 33] [103635 - W#02-bnxt0^] 2024-12-06 11:06:55 Info: netmap: netmap:bnxt0^1/R: bnxt0^ opened [fd: 34] [103635 - W#02-bnxt0^] 2024-12-06 11:06:55 Info: netmap: netmap:bnxt0-1/T: bnxt0 opened [fd: 35] [103636 - W#03-bnxt0^] 2024-12-06 11:06:55 Info: netmap: netmap:bnxt0^2/R: bnxt0^ opened [fd: 36] [103636 - W#03-bnxt0^] 2024-12-06 11:06:56 Info: netmap: netmap:bnxt0-2/T: bnxt0 opened [fd: 37] [103637 - W#04-bnxt0^] 2024-12-06 11:06:56 Info: netmap: netmap:bnxt0^3/R: bnxt0^ opened [fd: 38] [103637 - W#04-bnxt0^] 2024-12-06 11:06:56 Info: netmap: netmap:bnxt0-3/T: bnxt0 opened [fd: 39] [103639 - W#05-bnxt0^] 2024-12-06 11:06:56 Info: netmap: netmap:bnxt0^4/R: bnxt0^ opened [fd: 40] [103639 - W#05-bnxt0^] 2024-12-06 11:06:56 Info: netmap: netmap:bnxt0-4/T: bnxt0 opened [fd: 41] [103640 - W#06-bnxt0^] 2024-12-06 11:06:56 Info: netmap: netmap:bnxt0^5/R: bnxt0^ opened [fd: 42] [103640 - W#06-bnxt0^] 2024-12-06 11:06:56 Info: netmap: netmap:bnxt0-5/T: bnxt0 opened [fd: 43] [103641 - W#07-bnxt0^] 2024-12-06 11:06:56 Info: netmap: netmap:bnxt0^6/R: bnxt0^ opened [fd: 44] [103641 - W#07-bnxt0^] 2024-12-06 11:06:57 Info: netmap: netmap:bnxt0-6/T: bnxt0 opened [fd: 45] [103642 - W#08-bnxt0^] 2024-12-06 11:06:57 Info: netmap: netmap:bnxt0^7/R: bnxt0^ opened [fd: 46] [103642 - W#08-bnxt0^] 2024-12-06 11:06:57 Info: netmap: netmap:bnxt0-7/T: bnxt0 opened [fd: 47] [103643 - W#09-bnxt0^] 2024-12-06 11:06:57 Info: netmap: netmap:bnxt0^8/R: bnxt0^ opened [fd: 48] [103643 - W#09-bnxt0^] 2024-12-06 11:06:57 Info: netmap: netmap:bnxt0-8/T: bnxt0 opened [fd: 49] [103644 - W#10-bnxt0^] 2024-12-06 11:06:57 Info: netmap: netmap:bnxt0^9/R: bnxt0^ opened [fd: 50] [103644 - W#10-bnxt0^] 2024-12-06 11:06:57 Info: netmap: netmap:bnxt0-9/T: bnxt0 opened [fd: 51] [103645 - W#11-bnxt0^] 2024-12-06 11:06:57 Info: netmap: netmap:bnxt0^10/R: bnxt0^ opened [fd: 52] [103645 - W#11-bnxt0^] 2024-12-06 11:06:58 Info: netmap: netmap:bnxt0-10/T: bnxt0 opened [fd: 53] [103646 - W#12-bnxt0^] 2024-12-06 11:06:58 Info: netmap: netmap:bnxt0^11/R: bnxt0^ opened [fd: 54] [103646 - W#12-bnxt0^] 2024-12-06 11:06:58 Info: netmap: netmap:bnxt0-11/T: bnxt0 opened [fd: 55] [100691 - Suricata-Main] 2024-12-06 11:06:58 Notice: threads: Threads created -> W: 24 FM: 1 FR: 1 Engine started.
And here is one in LEGACY mode. Is it just me or are the bnxt0.vlanID interfaces jacked up in the one above compared to this one?
[100998 - Suricata-Main] 2024-12-06 13:50:09 Notice: suricata: This is Suricata version 7.0.7 RELEASE running in SYSTEM mode [100998 - Suricata-Main] 2024-12-06 13:50:09 Info: cpu: CPUs/cores online: 24 [100998 - Suricata-Main] 2024-12-06 13:50:09 Info: suricata: Setting engine mode to IDS mode by default [100998 - Suricata-Main] 2024-12-06 13:50:09 Info: app-layer-htp-mem: HTTP memcap: 67108864 [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: logopenfile: alert-pf output device (regular) initialized: block.log [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: alert-pf: Loading and parsing Pass List from: /usr/local/etc/suricata/suricata_20972_bnxt0.651/passlist. [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: alert-pf: Pass List /usr/local/etc/suricata/suricata_20972_bnxt0.651/passlist processed: Total entries parsed: 10, IP addresses/netblocks/aliases added to No Block list: 10, IP addresses/netblocks ignored because they were covered by existing entries: 0. [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: alert-pf: pfSense Suricata Custom Blocking Module initialized: pf-table=snort2c block-ip=src kill-state=yes block-drops-only=no passlist-debugging=no [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: alert-pf: Creating initial automatic firewall interface IP address pass list. [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: alert-pf: Adding firewall interface bge1 IPv6 address fe80:0000:0000:0000:1298:19ff:fe9d:3359 to automatic interface IP pass list. [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: alert-pf: Adding firewall interface bge1 IPv4 address 10.0.20.19 to automatic interface IP pass list. [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: alert-pf: Adding firewall interface bnxt0 IPv6 address fe80:0000:0000:0000:6e92:cfff:fe21:a1c0 to automatic interface IP pass list. [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: alert-pf: Adding firewall interface bnxt1 IPv6 address fe80:0000:0000:0000:6e92:cfff:fe21:a1c1 to automatic interface IP pass list. [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: alert-pf: Adding firewall interface lo0 IPv6 address 0000:0000:0000:0000:0000:0000:0000:0001 to automatic interface IP pass list. [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: alert-pf: Adding firewall interface lo0 IPv6 address fe80:0000:0000:0000:0000:0000:0000:0001 to automatic interface IP pass list. [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: alert-pf: Adding firewall interface lo0 IPv4 address 127.0.0.1 to automatic interface IP pass list. [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: alert-pf: Adding firewall interface bnxt1.895 IPv6 address fe80:0000:0000:0000:6e92:cfff:fe21:a1c1 to automatic interface IP pass list. [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: alert-pf: Adding firewall interface bnxt1.895 IPv4 address 12.220.13.19 to automatic interface IP pass list. [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: alert-pf: Adding firewall interface bnxt1.896 IPv6 address fe80:0000:0000:0000:6e92:cfff:fe21:a1c1 to automatic interface IP pass list. [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: alert-pf: Adding firewall interface bnxt1.896 IPv4 address 12.220.13.35 to automatic interface IP pass list. [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: alert-pf: Adding firewall interface bnxt1.992 IPv6 address fe80:0000:0000:0000:6e92:cfff:fe21:a1c1 to automatic interface IP pass list. [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: alert-pf: Adding firewall interface bnxt1.992 IPv4 address 143.170.195.222 to automatic interface IP pass list. [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: alert-pf: Adding firewall interface bnxt1.897 IPv6 address fe80:0000:0000:0000:6e92:cfff:fe21:a1c1 to automatic interface IP pass list. [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: alert-pf: Adding firewall interface bnxt1.897 IPv4 address 12.146.29.35 to automatic interface IP pass list. [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: alert-pf: Adding firewall interface bnxt0.653 IPv6 address fe80:0000:0000:0000:6e92:cfff:fe21:a1c0 to automatic interface IP pass list. [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: alert-pf: Adding firewall interface bnxt0.651 IPv6 address fe80:0000:0000:0000:6e92:cfff:fe21:a1c0 to automatic interface IP pass list. [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: alert-pf: Adding firewall interface bnxt0.651 IPv4 address 172.16.32.1 to automatic interface IP pass list. [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: alert-pf: Adding firewall interface bnxt0.260 IPv6 address fe80:0000:0000:0000:6e92:cfff:fe21:a1c0 to automatic interface IP pass list. [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: alert-pf: Adding firewall interface bnxt0.260 IPv4 address 172.17.16.1 to automatic interface IP pass list. [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: alert-pf: Adding firewall interface bnxt0.261 IPv6 address fe80:0000:0000:0000:6e92:cfff:fe21:a1c0 to automatic interface IP pass list. [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: alert-pf: Adding firewall interface bnxt0.401 IPv6 address fe80:0000:0000:0000:6e92:cfff:fe21:a1c0 to automatic interface IP pass list. [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: alert-pf: Adding firewall interface bnxt0.401 IPv4 address 172.18.128.1 to automatic interface IP pass list. [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: alert-pf: Adding firewall interface bnxt0.402 IPv6 address fe80:0000:0000:0000:6e92:cfff:fe21:a1c0 to automatic interface IP pass list. [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: alert-pf: Adding firewall interface bnxt0.402 IPv4 address 172.18.192.1 to automatic interface IP pass list. [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: alert-pf: Adding firewall interface bnxt0.600 IPv6 address fe80:0000:0000:0000:6e92:cfff:fe21:a1c0 to automatic interface IP pass list. [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: alert-pf: Adding firewall interface bnxt0.600 IPv4 address 172.18.14.1 to automatic interface IP pass list. [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: alert-pf: Adding firewall interface bnxt0.647 IPv6 address fe80:0000:0000:0000:6e92:cfff:fe21:a1c0 to automatic interface IP pass list. [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: alert-pf: Adding firewall interface bnxt0.647 IPv4 address 172.16.64.1 to automatic interface IP pass list. [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: alert-pf: Adding firewall interface bnxt0.648 IPv6 address fe80:0000:0000:0000:6e92:cfff:fe21:a1c0 to automatic interface IP pass list. [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: alert-pf: Adding firewall interface bnxt0.648 IPv4 address 172.16.80.1 to automatic interface IP pass list. [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: alert-pf: Adding firewall interface bnxt0.650 IPv6 address fe80:0000:0000:0000:6e92:cfff:fe21:a1c0 to automatic interface IP pass list. [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: alert-pf: Adding firewall interface bnxt0.650 IPv4 address 172.16.128.1 to automatic interface IP pass list. [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: alert-pf: Adding firewall interface bnxt0.652 IPv6 address fe80:0000:0000:0000:6e92:cfff:fe21:a1c0 to automatic interface IP pass list. [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: alert-pf: Adding firewall interface bnxt0.652 IPv4 address 172.16.40.1 to automatic interface IP pass list. [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: alert-pf: Adding firewall interface bnxt0.654 IPv6 address fe80:0000:0000:0000:6e92:cfff:fe21:a1c0 to automatic interface IP pass list. [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: alert-pf: Adding firewall interface bnxt0.654 IPv4 address 172.16.56.1 to automatic interface IP pass list. [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: alert-pf: Adding firewall interface bnxt0.660 IPv6 address fe80:0000:0000:0000:6e92:cfff:fe21:a1c0 to automatic interface IP pass list. [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: alert-pf: Adding firewall interface bnxt0.661 IPv6 address fe80:0000:0000:0000:6e92:cfff:fe21:a1c0 to automatic interface IP pass list. [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: alert-pf: Adding firewall interface bnxt0.661 IPv4 address 172.16.8.1 to automatic interface IP pass list. [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: alert-pf: Adding firewall interface bnxt0.700 IPv6 address fe80:0000:0000:0000:6e92:cfff:fe21:a1c0 to automatic interface IP pass list. [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: alert-pf: Adding firewall interface bnxt0.700 IPv4 address 172.16.12.1 to automatic interface IP pass list. [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: alert-pf: Adding firewall interface bnxt0.711 IPv6 address fe80:0000:0000:0000:6e92:cfff:fe21:a1c0 to automatic interface IP pass list. [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: alert-pf: Adding firewall interface bnxt0.711 IPv4 address 192.168.55.1 to automatic interface IP pass list. [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: logopenfile: fast output device (regular) initialized: alerts.log [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: alert-syslog: Syslog output initialized [101035 - Suricata-IM#01] 2024-12-06 13:50:09 Info: alert-pf: Firewall Interface IP Address Change Monitor Thread IM#01 initializing. [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: logopenfile: eve-log output device (regular) initialized: eve.json [101035 - Suricata-IM#01] 2024-12-06 13:50:09 Info: alert-pf: Firewall Interface IP Address Change Monitor Thread IM#01 startup completed successfully. [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: detect: 1 rule files processed. 33 rules successfully loaded, 0 rules failed, 0 [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: threshold-config: Threshold config parsed: 0 rule(s) found [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: detect: 33 signatures processed. 0 are IP-only rules, 14 are inspecting packet payload, 19 inspect application layer, 0 are decoder event only [100728 - Suricata-Main] 2024-12-06 13:50:09 Perf: detect: TCP toserver: 8 port groups, 5 unique SGH's, 3 copies [100728 - Suricata-Main] 2024-12-06 13:50:09 Perf: detect: TCP toclient: 2 port groups, 2 unique SGH's, 0 copies [100728 - Suricata-Main] 2024-12-06 13:50:09 Perf: detect: UDP toserver: 3 port groups, 2 unique SGH's, 1 copies [100728 - Suricata-Main] 2024-12-06 13:50:09 Perf: detect: UDP toclient: 1 port groups, 1 unique SGH's, 0 copies [100728 - Suricata-Main] 2024-12-06 13:50:09 Perf: detect: OTHER toserver: 0 proto groups, 0 unique SGH's, 0 copies [100728 - Suricata-Main] 2024-12-06 13:50:09 Perf: detect: OTHER toclient: 0 proto groups, 0 unique SGH's, 0 copies [100728 - Suricata-Main] 2024-12-06 13:50:09 Perf: detect: Unique rule groups: 10 [100728 - Suricata-Main] 2024-12-06 13:50:09 Perf: detect: Builtin MPM "toserver TCP packet": 3 [100728 - Suricata-Main] 2024-12-06 13:50:09 Perf: detect: Builtin MPM "toclient TCP packet": 2 [100728 - Suricata-Main] 2024-12-06 13:50:09 Perf: detect: Builtin MPM "toserver TCP stream": 4 [100728 - Suricata-Main] 2024-12-06 13:50:09 Perf: detect: Builtin MPM "toclient TCP stream": 1 [100728 - Suricata-Main] 2024-12-06 13:50:09 Perf: detect: Builtin MPM "toserver UDP packet": 2 [100728 - Suricata-Main] 2024-12-06 13:50:09 Perf: detect: Builtin MPM "toclient UDP packet": 1 [100728 - Suricata-Main] 2024-12-06 13:50:09 Perf: detect: Builtin MPM "other IP packet": 0 [100728 - Suricata-Main] 2024-12-06 13:50:09 Perf: detect: AppLayer MPM "toserver http_uri (http)": 2 [100728 - Suricata-Main] 2024-12-06 13:50:09 Perf: detect: AppLayer MPM "toserver http_uri (http2)": 2 [100728 - Suricata-Main] 2024-12-06 13:50:09 Perf: detect: AppLayer MPM "toserver http_user_agent (http)": 2 [100728 - Suricata-Main] 2024-12-06 13:50:09 Perf: detect: AppLayer MPM "toserver http_user_agent (http2)": 2 [100728 - Suricata-Main] 2024-12-06 13:50:09 Info: runmodes: Using 1 live device(s). [101036 - RX#01-bnxt0.651] 2024-12-06 13:50:09 Info: pcap: bnxt0.651: running in 'auto' checksum mode. Detection of interface state will require 1000 packets [101036 - RX#01-bnxt0.651] 2024-12-06 13:50:09 Info: pcap: bnxt0.651: snaplen set to 1518 [100728 - Suricata-Main] 2024-12-06 13:50:10 Notice: threads: Threads created -> RX: 1 W: 24 FM: 1 FR: 1 Engine started. [101036 - RX#01-bnxt0.651] 2024-12-06 13:50:13 Info: checksum: No packets with invalid checksum, assuming checksum offloading is NOT used [100728 - Suricata-Main] 2024-12-07 00:42:11 Notice: detect: rule reload starting [100728 - Suricata-Main] 2024-12-07 00:42:11 Info: conf-yaml-loader: Configuration node 'filetype' redefined. [100728 - Suricata-Main] 2024-12-07 00:42:11 Info: detect: 1 rule files processed. 33 rules successfully loaded, 0 rules failed, 0 [100728 - Suricata-Main] 2024-12-07 00:42:11 Info: threshold-config: Threshold config parsed: 0 rule(s) found [100728 - Suricata-Main] 2024-12-07 00:42:11 Info: detect: 33 signatures processed. 0 are IP-only rules, 14 are inspecting packet payload, 19 inspect application layer, 0 are decoder event only [100728 - Suricata-Main] 2024-12-07 00:42:11 Perf: detect: TCP toserver: 8 port groups, 5 unique SGH's, 3 copies [100728 - Suricata-Main] 2024-12-07 00:42:11 Perf: detect: TCP toclient: 2 port groups, 2 unique SGH's, 0 copies [100728 - Suricata-Main] 2024-12-07 00:42:11 Perf: detect: UDP toserver: 3 port groups, 2 unique SGH's, 1 copies [100728 - Suricata-Main] 2024-12-07 00:42:11 Perf: detect: UDP toclient: 1 port groups, 1 unique SGH's, 0 copies [100728 - Suricata-Main] 2024-12-07 00:42:11 Perf: detect: OTHER toserver: 0 proto groups, 0 unique SGH's, 0 copies [100728 - Suricata-Main] 2024-12-07 00:42:11 Perf: detect: OTHER toclient: 0 proto groups, 0 unique SGH's, 0 copies [100728 - Suricata-Main] 2024-12-07 00:42:11 Perf: detect: Unique rule groups: 10 [100728 - Suricata-Main] 2024-12-07 00:42:11 Perf: detect: Builtin MPM "toserver TCP packet": 3 [100728 - Suricata-Main] 2024-12-07 00:42:11 Perf: detect: Builtin MPM "toclient TCP packet": 2 [100728 - Suricata-Main] 2024-12-07 00:42:11 Perf: detect: Builtin MPM "toserver TCP stream": 4 [100728 - Suricata-Main] 2024-12-07 00:42:11 Perf: detect: Builtin MPM "toclient TCP stream": 1 [100728 - Suricata-Main] 2024-12-07 00:42:11 Perf: detect: Builtin MPM "toserver UDP packet": 2 [100728 - Suricata-Main] 2024-12-07 00:42:11 Perf: detect: Builtin MPM "toclient UDP packet": 1 [100728 - Suricata-Main] 2024-12-07 00:42:11 Perf: detect: Builtin MPM "other IP packet": 0 [100728 - Suricata-Main] 2024-12-07 00:42:11 Perf: detect: AppLayer MPM "toserver http_uri (http)": 2 [100728 - Suricata-Main] 2024-12-07 00:42:11 Perf: detect: AppLayer MPM "toserver http_uri (http2)": 2 [100728 - Suricata-Main] 2024-12-07 00:42:11 Perf: detect: AppLayer MPM "toserver http_user_agent (http)": 2 [100728 - Suricata-Main] 2024-12-07 00:42:11 Perf: detect: AppLayer MPM "toserver http_user_agent (http2)": 2 [100728 - Suricata-Main] 2024-12-07 00:42:11 Notice: detect: rule reload complete
Anyway... going back to this statement "VLANs and Inline IPS Mode are more or less incompatible."
I guess I need to either look into separate NICs or a separate inline Suricata device as suggested by @bmeeks. -
@PalisadesTahoe said in Suricata & P2P Blocking - Working but would like to fine tune.:
Anyway... going back to this statement "VLANs and Inline IPS Mode are more or less incompatible."
It is definitely possible to run Suricata on the parent interface only, provided that it is actually assigned. I have definitely seen it work, but Inline doesn't provide the performance that Legacy mode does, so I reverted back.
As you wrote earlier, there seems to be an issue with the interface assignments? VLAN's stop working if you assign the parent interface, correct?
When I set up VLANs, I already had the parent interface assigned. So the order of things seem to matter...
Have you tried doing it that way, starting by configuring the parent interface and only then adding the VLAN's? -
@Gblenn Thanks for the reply. Yes, I've tried that as well. The issue is that in our particular case, we only want/need Suricata to run on some of the vlans assigned to the parent interface. The others we need to remain wide open.