Suricata inline mode breaking barnyard2
-
Howdy, I was experimenting with inline blocking mode and somehow this has managed to break the integration with barnyard2. Now barnyard2 refuses to start with the following error:
FATAL ERROR: [ParseSidMapLine()], File [/usr/local/etc/suricata/suricata_47561_igb0/sid-msg.map], Error in map definition [1 || 1000001 || || NOCLASS || 0 || Pass List Entry - allow all traffic from/to 10.10.10.1/32] for value []
This does not occur on other interfaces with barnyard2 turned on and seems to be isolated to the WAN interface.
Any ideas on further troubleshooting or remediation steps? Thanks!
-
So I made some progress on this; the issue is that suricata is not properly generating the passlist rules for sid-msg.map (it's omitting a 'rev' column) which I think is what is tripping up barnyard2.
I was able to disable/enable blocking to get the passlist entries no longer added to the .map file, but it seems like they get put back in if I switch over to inline.