Suricata true inline IPS mode coming with pfSense 2.3 – here is a preview
-
How to evaluate performance and detect packet loss for pfSense 2.3 in inline IPS mode? stats.log or?
Thanks again!
-
How to evaluate performance and detect packet loss for pfSense 2.3 in inline IPS mode? stats.log or?
Thanks again!
I think that log primarily shows how much time was spent analyzing particular rules. But I don't remember for sure. It's been a long time since I activated the stats.log option and looked over the log.
Bill
-
hmm…
I can't see capture.kernel_drops in stats.log. :P
-
Hi Bill,
I can't start Barnyard2, I use Syslog Output.
It's seem none barnyard2 installed.
Can you check?
Thx!
-
Hi Bill,
I can't start Barnyard2, I use Syslog Output.
It's seem none barnyard2 installed.
Can you check?
Thx!
Yep, it looks like the Barnyard2 binary is not there. I will need to investigate how it got missed in the build/run dependencies. It should have been installed along with Suricata. In the meantime, you should be able to just install it using pkg from the command line.
Bill
-
A quick fix for the missing Barnyard2 binary was posted today by the pfSense team. If you remove and then reinstall Suricata, it should bring along Barnyard2 now like it did in the past.
Bill
-
There has been nothing new on this project in many months. Is it dead? I certainly hope not, but I assume we are waiting on improvements to netmap which hasn't been updated in quite a while. Suricata 3.1.1 is out now and seems to be in current development.
I could really use this package as I am sure many others are chomping at the bit for it.
Progress preview maybe?
Dan
-
I guess this really is a dead project after all. It's a real shame.
-
This desperately needs to happen… I need Inline mode so bad, I can't describe how badly I need it. We have so much junk traffic tossed at valid IPs that perfectly good sites get blocked and many web/cloud based tools that my faculty and staff depend on become useless.
I've tuned Suricata rules until I can't see straight, and still, valid sites get blocked.
Come on devs, roll this stuff out! We are all rooting for you (and whining a bit).
Suricata 3.1.1 has been out for a while now in production, I wonder if there are still underlying netmap/driver issues causing problems with Inline mode?
-
I installed suricata, and the installer complained about some mysql client vulnerability that will not be patched. Something to be worried about?
-
@<deleted>:</deleted>
Suricata package has been updated today from 3.0_7 to 3.0_8.
From the changelogs I see only a fix for "Suricata, a broken download should not wait forever." ,and some changes in licenses.
@bmeeks I don't understand, why not jumping to the latest version, with latest fixes, because they are alot ?
10x
I have been very busy with other work outside of my volunteer package maintainer duties for Suricata and Snort. The other work pays me, the volunteer maintainer duties do not … ;).
I am testing the latest 3.1.1 binary this weekend and hope to have a pull request posted very soon.
Bill
-
Will inline IDS be working with the latest Suricata update?
-
Will inline IDS be working with the latest Suricata update?
Hopefully better than it currently does. The issues are pretty much all netmap related as netmap is a relatively new technology. Suricata has had some upstream bugs reported around the netmap interface used for inline mode. A lot of those reported issues are fixed in the 3.1.1 release.
Bill
-
Thank you @BMeeks!
Looks like there's an updated Suricata in Package Manager with the latest 3.1.1_1 version. Trying it out now!
-
Does latest suricata 3.1.1_1 support hyperscan pattern match ?
-
-
2.3.3_dev
-
-
Does latest suricata 3.1.1_1 support hyperscan pattern match ?
It's not turned on yet. That is next on my list to test. Not sure what kinds of tweaking may be required in FreeBSD ports to get that enabled and compiling successfully.
Bill
-
I will give inline mode a go again when Suricata 3.1.1 becomes available.
