Uknown VLAN Traffic with Suricata IPS Inline Mode

Alessiottero

Good afternoon guys!

I would need to ask you for help regarding the configuration of Suricata on my home pfSense CE firewall, installed on a mini pc with N100 CPU and dual 2.5Gb NIC (Intel I225, igc driver).

My home network topology is very simple, with the physical firewall LAN interface that acts as a trunk for several VLANs toward a managed switch: I installed Suricata via pfSense package, configured on my LAN.

I followed the advices of @bmeeks (thank you very much for the dedication you put into this project) in the threads on the forum and installed Suricata via pfSense package, enabled in promiscuous mode on the LAN interface and set to IPS Inline mode with workers execution mode.

Alerts and blocking are handled via lists configured with SID Mgmt and work correctly, but I often see alerts regarding unknown VLAN traffic: I can't figure out what this traffic might be about, since I disabled hardware offloading completely, even via programmed command (on igc0 - WAN and igc1 -LAN both) using shellcmd, since some options remained active after disabling offloading via settings in the pfSense webUI.

Has this happened to anyone before? Could it be caused by hardware incompatibility of the NIC in question?

I was thinking of trying to remove promiscuous mode and enabling a Suricata probe on each of the logical interfaces of the individual VLANs, is this configuration compatible with Inline mode?

Thank you in advance, I am fully available for further checks and details!

bmeeks

When you install Suricata on a VLAN interface (or it detects that the configured interface is in fact a VLAN), it automatically alters its YAML cofiguration to run on the physical parent interface. So, for example, if your VLAN interfaces are igc0.100, igc0.200, and igc0.300, Suricata will automatically configure itself to run on the physical igc0 interface. There, it will see all the traffic from all the VLANs traversing that parent. But if you are using Inline IPS Mode, then the netmap device used to implement that operating mode is not itself VLAN-aware. The tags are stripped by the kernel stack before netmap sees them.

What specific error or alert messages are you seeing? It could simply be Suricata itself getting confused over the missing VLANs tags stripped away by the netmap device.

I generally tell users that Suricata and VLANs are not friendly with each other. This is especially true with Inline IPS Mode which needs to use the netmap kernel device. The VLAN limitations exist within netmap itself and not Suricata.

It's also possible this post from the upstream Suricata forum might apply in your case: https://forum.suricata.io/t/questions-about-use-for-tracking/3450. That setting is currently hard-forced to "true" in the pfSense package configuration. You can change it by editing the file /usr/local/pkg/suricata/suricata_yaml_template.inc as follows:

1. Find line 208 in the file and change "true" to "false" as shown below.

use-for-tracking: false

Here is the line in context:

# This option controls the use of vlan ids in the flow (and defrag)
# hashing.
vlan:
  use-for-tracking: true

Once you make the edit above, go to the INTERFACE SETTINGS tab for the Suricata interface, choose Save. This will regenerate the YAML conf file for the interface. Next, restart Suricata on the interface so it uses the newly generated YAML conf file.

The edit above will be global (that is, it will be applied to all Suricata instances when their YAML conf file is generated).

Alessiottero

Good evening @bmeeks, thank you very much for the details, I was hoping for your intervention!!

I changed the option as indicated, saved the configuration (I verified that the change was correctly in place), and restarted the Suricata probe from the LAN interface in question, but I am still unfortunately seeing this type of alert:

I read the post on Suricata's forum, the configuration of VLANs should not have any particular misalignments...on my “core” switch, the only particular configuration is on the UniFi access points ports, which have the managment VLAN in access and tag all VLANs that are then propagated by the WiFi network SSIDs...but the chain should still be respected.

In order to go and check where any configuration of this type possibly resides, would you know if from logs I can somehow figure out what kind of package Suricata sees that it can't recognize?

Thank you again!

bmeeks

@Alessiottero said in Uknown VLAN Traffic with Suricata IPS Inline Mode:

Good evening @bmeeks, thank you very much for the details, I was hoping for your intervention!!

I changed the option as indicated, saved the configuration (I verified that the change was correctly in place), and restarted the Suricata probe from the LAN interface in question, but I am still unfortunately seeing this type of alert:

I read the post on Suricata's forum, the configuration of VLANs should not have any particular misalignments...on my “core” switch, the only particular configuration is on the UniFi access points ports, which have the managment VLAN in access and tag all VLANs that are then propagated by the WiFi network SSIDs...but the chain should still be respected.

In order to go and check where any configuration of this type possibly resides, would you know if from logs I can somehow figure out what kind of package Suricata sees that it can't recognize?

Thank you again!

That rule triggering is one of the built-in Suricata rules -- specifically decoder-events.rules. I can't find any clear definition of why that rule would trigger. I see in the C source for Suricata where the flag is set, but again it's not clear to me why (at least in the time I had for a cursory examination). You might ask this question on the Suricata forum here: https://forum.suricata.io/. If you do that, just ask the generic question of what that rule SID (2200067) is looking for and why it would trigger. If you mention "pfSense" in your question, that may get the focus and folks will say to come back here. But your question is about that rule and what triggers it, and that is not related necessarily to pfSense.

I would be interested in hearing what you find out. I also monitor that upstream Suricata forum.

Alessiottero

Ciao @bmeeks, thank you again, I have write right know on the Suricata forum!

If you are interested this is the topic.

Thank you very much again, we will update soon I hope!

bmeeks

@Alessiottero said in Uknown VLAN Traffic with Suricata IPS Inline Mode:

Ciao @bmeeks, thank you again, I have write right know on the Suricata forum!

If you are interested this is the topic.

Thank you very much again, we will update soon I hope!

I checked on your Suricata forum post. Excellent way to phrase your question. It leaves the focus on why that rule would trigger and does not muddy up the water by mentioning pfSense.

There are several key Suricata developers that frequent the forum. Hopefully one of them will answer soon. I am curious myself about the answer to your question.