Missing blocking mode setting in Suricata 7.0.3?
-
Hi friends, I've recently upgraded to 2.7.2 from 2.6.
Has the choice between inline and legacy gone away or been moved somewhere else?
There's a "Alert and Block Settings" section under WAN settings with a "Block Offenders" option, but nothing under that? Oddly that checkbox is disabled too.
Also, I'm using newer hardware that supports SPF+ modules, unfortunately it looks like mlxen* devices aren't supported yet for inline blocking: "The 'wan' interface does not support Inline IPS Mode with native netmap." Is that specific to the module I happened to choose? Like is there a supported spf+ module that suricata will work with?
-
@Tantamount if inline is used there are no blocks, the detected packets (only) are dropped.
Inline is very dependent on driver support so another NIC may have different drivers.
If you run it on LAN instead it will log the internal IPs of devices. Plus it runs outside the firewall so would not waste time scanning random inbound WAN traffic.
-
@SteveITS said in Missing blocking mode setting in Suricata 7.0.3?:
if inline is used there are no blocks, the detected packets (only) are dropped.
If I go to
Services -> Suricata -> Interfaces -> Edit WAN
I thought there used to be a drop down around here to switch between inline and legacy?
-
@Tantamount Given your error message in OP maybe the option is hidden for you? Though if Legacy that section has several options that should show. Kill states, pass list, etc.
FWIW the text there includes:
"WARNING: Inline Mode only works with NIC drivers which properly support Netmap! Supported drivers include: bnxt, cc, cxgbe, cxl, em, ena, ice, igb, igc, ix, ixgbe, ixl, lem, re, vmx, vtnet. If problems are experienced with Inline Mode, switch to Legacy Mode instead." -
@SteveITS said in Missing blocking mode setting in Suricata 7.0.3?:
Given your error message in OP maybe the option is hidden for you?
That message only shows if I attempt to enable Suricata. RN it's not enabled, so that's why I thought it was odd not to have that setting available to me.
-
@Tantamount said in Missing blocking mode setting in Suricata 7.0.3?:
@SteveITS said in Missing blocking mode setting in Suricata 7.0.3?:
Given your error message in OP maybe the option is hidden for you?
That message only shows if I attempt to enable Suricata. RN it's not enabled, so that's why I thought it was odd not to have that setting available to me.
The GUI code uses JavaScript to dynamically hide options for a function when that function is not enabled. Thus, if you do not enable Block Offfenders, all of the options associated with that feature are hidden to conserve screen space. Similarly, depending on which IPS Mode you choose, other related options are either hidden or displayed in the GUI within the ALERT and BLOCK SETTINGS section.
This same behavior is also present in other parts of the pfSense GUI (for example, hiding Advanced Settings options when the Advanced Settings feature is not checked (enabled).
-
@bmeeks said in Missing blocking mode setting in Suricata 7.0.3?:
The GUI code uses JavaScript to dynamically hide options for a function when that function is not enabled. Thus, if you do not enable Block Offfenders, all of the options associated with that feature are hidden to conserve screen space.
Hey bmeeks! Yeah, I get that -- unfortunately, as I said in the OP, the option to click that box is disabled. (I couldn't screen capture the circle with a slash through it on the cursor when I float over that box)
If I had to guess, I think the problem got introduced when I switch hardware from a system where I had IPS enabled to a system that didn't support that and restored from backup?
-
@Tantamount said in Missing blocking mode setting in Suricata 7.0.3?:
@bmeeks said in Missing blocking mode setting in Suricata 7.0.3?:
The GUI code uses JavaScript to dynamically hide options for a function when that function is not enabled. Thus, if you do not enable Block Offfenders, all of the options associated with that feature are hidden to conserve screen space.
Hey bmeeks! Yeah, I get that -- unfortunately, as I said in the OP, the option to click that box is disabled. (I couldn't screen capture the circle with a slash through it on the cursor when I float over that box)
If I had to guess, I think the problem got introduced when I switch hardware from a system where I had IPS enabled to a system that didn't support that and restored from backup?
There is no PHP code in the GUI that would do that. The only thing that will disable the "Block Offenders" checkbox is if the interface itself is not enabled (meaning the Enable checkbox at the very top of the page is not clicked).
The capability of the NIC for Inline IPS Mode operation is only checked and enforced when saving a change on the page using the Save button. You have something else going on. If the Enable checkbox at the top of the page is checked for the interface, then perhaps you have some kind of weird JavaScript issue in your brower (like a misbehaving plugin maybe ???).
-
@bmeeks said in Missing blocking mode setting in Suricata 7.0.3?:
The only thing that will disable the "Block Offenders" checkbox is if the interface itself is not enabled (meaning the Enable checkbox at the very top of the page is not clicked).
That was the solution. I had to click "Enable" at the top, then I could enable blocked, which in turn opened up the additional options where I could choose legacy!
Def not intuitive, as I would normally only enable after all the settings are the way I want them, but I'll take the win. Thanks for your help!
-
@Tantamount said in Missing blocking mode setting in Suricata 7.0.3?:
@bmeeks said in Missing blocking mode setting in Suricata 7.0.3?:
The only thing that will disable the "Block Offenders" checkbox is if the interface itself is not enabled (meaning the Enable checkbox at the very top of the page is not clicked).
That was the solution. I had to click "Enable" at the top, then I could enable blocked, which in turn opened up the additional options where I could choose legacy!
Def not intuitive, as I would normally only enable after all the settings are the way I want them, but I'll take the win. Thanks for your help!
With the Enable checkbox cleared, then every single control on that tab is disabled as then the Suricata interface itself will be disabled and not start. This is done purposefully to prevent the admin from changing something on a disabled interface and thinking or assuming it would "stick".
-
@bmeeks said in Missing blocking mode setting in Suricata 7.0.3?:
With the Enable checkbox cleared, then every single control on that tab is disabled as then the Suricata interface itself will be disabled and not start.
I'm just saying that this behavior, afaict, is limited to Suricata. For instance if I uncheck 'Enable' for dhcp server, I'm still able to adjust all of the settings.