Suricata inline mode and kernal error message
-
I can't speak for pfSense support. I don't know if they support virtualized installs or not.
You might want to do some research here and on Google for mbuf settings and other optimizations for some network drivers under pfSense 2.3 (which is FreeBSD 10.3). Find the archived thread here on the forum for the 2.3-BETA program and search through it. You can also try posting in the Virtualization sub-forum.
Netmap support is kind of new everywhere, and there may indeed be some weird bugs with it. Do you by chance any physical hardware you could temporarily dedicate as a pfSense 2.3 box for testing? Sounds like you have a moderately busy network and your testing could help uncover hidden issues. I do not have the facilities to test high traffic loads in my environment.
Bill
-
Hi Bill.
I enable inline mode , then disable inline mode and start suricata again. I found suricata.log show below
21/4/2016 – 15:28:34 - <info>-- Netmap IPS mode activated em0->em0+
21/4/2016 -- 15:28:34 - <info>-- preallocated 1024 packets. Total memory 3557376
21/4/2016 -- 15:28:34 - <info>-- Using 1 threads for interface em0+
21/4/2016 -- 15:28:34 - <info>-- Netmap IPS mode activated em0+->em0I have disable block, I don't know why it still show "IPS mode activated"??
Thx!</info></info></info></info>
-
Update:
When I disable block mode, IPS config is still in suricata.yaml.
netmap: - interface: default threads: auto copy-mode: ips disable-promisc: no checksum-checks: auto - interface: ix0 copy-iface: ix0+ - interface: ix0+ copy-iface: ix0I edit it manually to below
pcap: - interface: ix0 checksum-checks: auto promisc: yesBut after start suricata, it restore to block mode. :o
-
Update:
When I disable block mode, IPS config is still in suricata.yaml.
netmap: - interface: default threads: auto copy-mode: ips disable-promisc: no checksum-checks: auto - interface: ix0 copy-iface: ix0+ - interface: ix0+ copy-iface: ix0I edit it manually to below
pcap: - interface: ix0 checksum-checks: auto promisc: yesBut after start suricata, it restore to block mode. :o
When you disable the block mode or change it from legacy to inline, are you remembering to click the SAVE button down at the bottom of the page? Also, once you make the change and save it, you need to restart Suricata on the affected interface.
Manually editing the config files is pointless. Each time you click the START icon on the INTERFACES tab, the suricata configuration file (suricata.yaml) is rebuilt with the saved settings.
Bill
-
Yes, I disable the block mode and save then restart suricata, it 's the same.
-
I tested this last night in a pfSense virtual machine. I set both legacy mode and inline mode repeatedly on the WAN interface. Suricata properly swapped modes and updated the suricata.yaml file correctly. In short, I am unable to reproduce this problem. My VM was running pfSense 2.3-RELEASE and Suricata 3.0_6.
Bill
-
Hmm…
I don't use legacy mode in my test.
The step I test is below.
1. Check block offenders, set inline mode and save then restart suricata.
2. Uncheck block offenders, save then restart suricata directly.
3. view suricata.log, it show "Netmap IPS mode activated".
Thx!
-
Hmm…
I don't use legacy mode in my test.
The step I test is below.
1. Check block offenders, set inline mode and save then restart suricata.
2. Uncheck block offenders, save then restart suricata directly.
3. view suricata.log, it show "Netmap IPS mode activated".
Thx!
Oh… let me think about that a minute and review the code. You may have hit upon a sequence of events I did not adequately address in the code. I will test that process out. I was simply switching modes.
In the interim, while I am testing, you can "disable blocks" by switching to Legacy Mode, saving that, then un-checking the "Block Offenders" checkbox and saving that.
Edit Update: I verified that the GUI code was not disabling Netmap when disabling block offenders. So if you still had DROP rules, then it would still block. To fix this I pushed an update into a currently pending Pull Request that switches Suricata back to pcap legacy mode when "block offenders" is disabled. This way it will not block, but can still alert.
Bill
-
Maybe similar problems about netmap.
https://github.com/luigirizzo/netmap/issues/156
https://github.com/luigirizzo/netmap/issues/134
-
Maybe similar problems about netmap.
https://github.com/luigirizzo/netmap/issues/156
https://github.com/luigirizzo/netmap/issues/134
Hmm…might be some Netmap problems that are not directly related to Suricata. pfSense 2.3 now compiles Netmap support into the kernel by default.
Bill
