Suricata true inline IPS mode coming with pfSense 2.3 – here is a preview

newyork10023

If I may request (some) feature(s):

– on the Suricata -> Interfaces -> select to edit (e.g., WAN) -> WAN Rules page, the footer "Category Rules Summary" would be nice to (also) have available to view at the top of the page

-- that the "Rules View Filter" section always be open (or that the option to always be open can be configured)

-- that selection boxes be available for all the various SID Management categories (i.e., Default Enabled, Enabled by user, Auto-enabled by SID Mgmt, Rule action is alert. Action and/or content modified by SID Mgmt, Default Disabled, Disabled by user, Auto-disabled by SID Mgmt, and Rule action is drop).

-- that the columns on the page be sortable by clicking on the header.

-- that a Category "ALL" be available to see ALL rules and their actions.

-- that Source and Destination be Editable fields to solve the previously mentioned issue with "whitelisting".  If implemented, thorough documentation/help/how to information be available right there for those of us who are not Suricata rule experts but need rules to work nonetheless.  Clearly, the original rule needs to be maintained, with custom edits that can be saved and reused, including aliases and their logic (i.e., NOT/AND/OR).

-- that clicking on a SID to view rule show both the original and active rule (and not as a javascript pop-up).

Easier navigation in the Suricata menus would be appreciated: the requirement to choose Edit on the Interface, so that all pages within can be viewed up front needs to be eliminated and all pages flattened so they can be viewed initially.

In the Suricata menus (and in pfSense itself) it would be helpful to have an easy way to move between frequently accessed pages.  For example, a Start Page with Icons to open frequently used pages either below the Icons in a frame (keeping the Icons available) or in a separate tab (such that if re-clicking on the Start Page icon will re-open the existing tabbed page).  Even just having Icons on every page with links to open (in an existing tab if possible) frequently accessed pages (e.g., Dashboard, the various pages of Logs, Interface pages, Rules pages, etc., etc.

newyork10023

Last question, it appears that Snort is still not capable of inline mode (with pfSense), true?

Uranus

Good day.
PFsenes 2.3.4-RELEASE-p1 (amd64) FreeBSD 10.3-RELEASE-p19
I have a I350-T4 network card installed.
As I understand the drivers for this network card do not support a Netmap (At least in the current release PFsense), because when switch to the inline mode, I stop showing alerts?!
Sorry for my bad english.

bmeeks

@newyork10023:

Last question, it appears that Snort is still not capable of inline mode (with pfSense), true?

Correct, Snort cannot do inline IPS mode on pfSense.  Snort implements Netmap, but only through its DAQ module.  And the way DAQ implements it is quite different from the way Suricata does.  Snort's DAQ requires you to actually dedicate two real network interfaces to the Netmap tunnel.  One is "IN" and the other is "OUT".  The DAQ takes incoming traffic on the IN and sends it to Snort.  Snort either drops it if bad, or sends it back to DAQ if OK.  DAQ then sends what it gets from Snort out the OUT interface.  It is meant to really run as a completely separate appliance sitting in series with the protected networks.  You can't route any traffic between the interfaces either.  They are just two ends of the same pipe in a manner of speaking.

Suricata implements Netmap natively (without needing DAQ), and does so in a manner more conducive to IPS mode operation within a firewall.  You don't have to use two real interfaces.  You specify the real interface where you want Netmap to operate, and then to connect to the OS kernel stack you specify the same interface name but with a plus ("+") at the end.  Suricata's Netmap can insert itself between the kernel stack and the NIC driver.  Snort's DAQ can't do this.

Bill

bmeeks

@Uranus:

Good day.
PFsenes 2.3.4-RELEASE-p1 (amd64) FreeBSD 10.3-RELEASE-p19
I have a I350-T4 network card installed.
As I understand the drivers for this network card do not support a Netmap (At least in the current release PFsense), because when switch to the inline mode, I stop showing alerts?!
Sorry for my bad english.

Probably true.  I don't have a list of exactly which drivers fully support Netmap.  I know there are several out there that work great, and some that work in a buggy fashion, and then some that don't work at all.  If you have trouble with Inline IPS mode in Suricata with your NIC hardware, you either have to change the NIC to one that is supported or switch to Legacy Mode blocking and abandon Inline IPS.

You could try posting an open question to Suricata users here on the forum to see who is successfully using Inline IPS mode and with which type of network card.

Bill

Uranus

Well, thanks for the answer!
I would like to know whether the latest drivers for my network card are in PFSense, maybe they can be updated or can be upgraded in version 2.4 with another core of the FreeBSD?!

bmeeks

@Uranus:

Well, thanks for the answer!
I would like to know whether the latest drivers for my network card are in PFSense, maybe they can be updated or can be upgraded in version 2.4 with another core of the FreeBSD?!

pfSense uses whatever is in FreeBSD upstream.  They do not create their own network drivers.  pfSense 2.3.4 is based on FreeBSD 10.3-RELEASE.  The pfSense 2.4-DEV tree is based on FreeBSD 11, so it is likely to contain more up-to-date network drivers.  Which pfSense version are you running?  You could give 2.4-DEV a try if you want to.  Perhaps it has drivers for your hardware that support Netmap.

Bill

isiroshtan

Good day.

Maybe you guys can help or give some advises.

Have NetXtreme BCM5720 Gigabit Ethernet PCIe, and inline mode works. But from time-to-time it starts to drop traffic on either internal or external interface.

In logs i see a lot of messages like this:

728.051395 [2860] netmap_transmit full hwcur 793 hwtail 680 qlen 112 len 74 m 0xfffff8000d78e000

Rebooting machine or bringing interface down then up usually helps. Today first time it came up on itself, after dropping traffic for about an hour or so.

Can it mean NIC not fully support netmap? Or is it just some miss-configuration from my side? Would be glad for any help.

ntct

Don't use inline mode.

bmeeks

@isiroshtan:

Good day.

Maybe you guys can help or give some advises.

Have NetXtreme BCM5720 Gigabit Ethernet PCIe, and inline mode works. But from time-to-time it starts to drop traffic on either internal or external interface.

In logs i see a lot of messages like this:

728.051395 [2860] netmap_transmit full hwcur 793 hwtail 680 qlen 112 len 74 m 0xfffff8000d78e000

Rebooting machine or bringing interface down then up usually helps. Today first time it came up on itself, after dropping traffic for about an hour or so.

Can it mean NIC not fully support netmap? Or is it just some miss-configuration from my side? Would be glad for any help.

Could be a buggy Netmap implementation by the driver, but you might try fiddling around with buffers.  I'm no expert, but others have posted here about various mbuf settings that can be adjusted for certain NICs.  These have helped with some Netmap and other NIC driver problems.

Bill

isiroshtan

Well, replacing NICs on the server to ones, that officially support Netmap and configuring them according to recommendations in https://doc.pfsense.org/index.php/Tuning_and_Troubleshooting_Network_Cards seems to fix the issue. Have not observer such problem in last 30 days.

Thank you for the help bmeeks.

whizzy

I have followed all the recommendations in the tuning guide and I still get a ton of bad pkt errors. Using an intel i350. Also tried Intel i219.
Is anyone else using the i350 successfully?