Suricata V3.0 Inline Mode
-
Bill:
Suricata V3.0 is now working fine. I now see the blocked alerts showing in red. I am going to just let it run with this snap-shot of Pfsense 2.3 and see how it working over a period of time.
Best Regards,
Howard
Great! Glad everything is working. There are still a few things I plan on improving.
Bill
-
Bill:
An update with respect to a strange issue. I am using the traffic shaper with CODEL to minimize buffer bloat. It worked fine with Pfsense2.2.6. However Pfsense 2.3 and Suricata Inline seem to be a problem. First, If I removed the traffic shaper when running Suricata V3.0 Inline the box locks up and will not pass traffic. I looked at the error messages and they were related to Netmap. I rebooted the box and all was well. I then reconfigured the traffic shaper on the wan and lan with CODEL. A test for buffer bloat showed poor results, i.e. buffer bloat. Then I rebooted the box and it is now working ok with the traffic shaper. I seem that Netmap and the traffic shaper interact. I have it working now be it was strange. Have you seen this before?
Regards,
Howard
-
Bill:
Further testing with the traffic shaper. It works with Suricata in the Legacy Mode but does not in the Inline Mode. Must be some interaction with Netmap ???
Regards,
Howard
-
Theres one test I would do also, is to run suricata inline with absolutely no rules, disable all categorie/rules.
F.
-
I removed all the rules from Suricata V3.0 running in the Inline Mode and the traffic shaper still does not function correctly. There must be some interaction between Suricata Inline Mode and the Pfsense 2.3 traffic shaper with CODEL used for bufferbloat reduction.
-
Further information:
When I change back from Inline Mode to Legacy Mode the box must be reboot for the traffic shaper to work correctly.
-
I see other issues posted over in the 2.3-BETA sub-forum with the Traffic Shaper. It is likely the shaper and Netmap do not currently play well together. I will have to refer that one to the pfSense developers. Would you mind opening a Redmine bug report for this issue? Just explain what happens with Inline mode and the traffic shaper.
Bill
-
Bill:
I just wrote a short note for redmine bugtracker report describing the problem.
Best Regards,
Howard
-
I see other issues posted over in the 2.3-BETA sub-forum with the Traffic Shaper. It is likely the shaper and Netmap do not currently play well together. I will have to refer that one to the pfSense developers. Would you mind opening a Redmine bug report for this issue? Just explain what happens with Inline mode and the traffic shaper.
Bill
This is now the show stopper for me to use Suricata v3 inline mode, one of the main reason to upgrade to pfSense 2.3. Any timeline to fix it? I'm waiting it to be fixed to upgrade to pfSense 2.3
-
This is now the show stopper for me to use Suricata v3 inline mode, one of the main reason to upgrade to pfSense 2.3. Any timeline to fix it? I'm waiting it to be fixed to upgrade to pfSense 2.3
I see the bug report has been assigned to one of the pfSense kernel developers. Here is the redmine link: https://redmine.pfsense.org/issues/6023
Bill
-
I am trying inline now. I think Netmap is supported as I see the interfaces using the emX driver.
However on following the above instructions I have full loss of internet connectivity.
-
Ok the likely problem is Netmap.
-
Ok the likely problem is Netmap.
Yes, Netmap and some NIC drivers are misbehaving badly in the kernel at the moment. There are threads in the INSTALL and UPGRADES forum and elsewhere about it. It seems to depend on your exact NIC as to whether or not you have issues. Some folks immediately lose connectivity, for others is takes hours or a few days, and some seem to have no problems.
I believe the pfSense developer team is looking into the Netmap issues. It is probably not a pfSense thing and is instead either an upstream bug in Netmap or FreeBSD.
Bill
-
I look forward to the issue fixed and enableing inline mode in my production environment.
Thanks pfSense developer team and Bill.
-
Was this issue fixed in 2.3.1?
-
or 2.3.2?
-
It works perfectly ;D !!!!!!!
Thanx ! Thanx !Thanx !Thanx !Thanx !Thanx !Thanx !Thanx !Thanx !Thanx !Thanx !Thanx !Thanx !
-
It works perfectly ;D !!!!!!!
Thanx ! Thanx !Thanx !Thanx !Thanx !Thanx !Thanx !Thanx !Thanx !Thanx !Thanx !Thanx !Thanx !
Does hardware offloading still need to be disabled?
-
@bmeeks May i ask if i can use this sample format?
The categories shown below will have all rules changed from "alert" to "drop"
etpro-dns,etpro-botcc,etpro-malware,etpro-tor,etpro-trojan
1:2181,1:2180,1:2016662,1:2008581,1:16282,1:2012247,1:2008585,1:16282,1:2010144,1:2016662,1:2102180,1:2011706,1:2102181
-
@gars1978 said in Suricata V3.0 Inline Mode:
@bmeeks May i ask if i can use this sample format?
The categories shown below will have all rules changed from "alert" to "drop"
etpro-dns,etpro-botcc,etpro-malware,etpro-tor,etpro-trojan
1:2181,1:2180,1:2016662,1:2008581,1:16282,1:2012247,1:2008585,1:16282,1:2010144,1:2016662,1:2102180,1:2011706,1:2102181
Yes, but you will need to note that first sentence as a "comment" by adding a pound sign ("#") at the front of the line.
Otherwise you should be good. I can't 100% remember if the logic will accept the commas between category names, or if it prefers each category to be listed on a separate line. You can try it and see. When you save the change and apply the SID management rules logic, you can check the corresponding log under the LOGS VIEW tab. I believe the log file is called
sid_changes.log(or something similar). In that log Suricata will summarize what actions were taken on SID Management conf files.
