Suricata inline not working
-
After reading about the benefis of running Suricata in inline mode, I decided to give it a go.
I first setup Suricata to run in Legacy mode to test it and everything seem to work just like Snort.
I only used one custom rule and no others for testing.
Here is the rule I used:alert tcp $EXTERNAL_NET any -> any 25 (msg:"SMTP .top Bad TLD"; threshold: type limit, track by_src, count 1, seconds 60; content:".top>"; nocase; classtype:unsuccessful-user; sid:9000031; rev:2;)
When in legacy mode this rule will block any TLD of .top. When I switch to inline mode, as soon as a rule match arrives it kills the interface and I have to restart the pfsense box. There are no alerts or errors in the logs. I also tried this as a drop rule. Same outcome.
My pfsense box uses 4-igb and 2-em Intel NICs. When Suricata starts, in inline mode, the log shows successful loading of NICs and rules. No errors.
Any ideas. I really want to help get this working.
-
I noticed an update to Suricata to version 3.1.1 that address some of these issues.
Is there a way I can manually apply this update? I am not a Linux guru, so be gentle.
-
Hang tight. BMeeks is working on the package, now that it has been released by the maintainer. He'll have it available in Suricata soon.
Note there was also a question of whether netmap was working properly for in-line mode because of issues with some NICs. I'm not sure if that latest update made it to the pfSense codebase yet.
-
Thanks for that update. I have igb and em NIC's in my box both were listed as compatible with netmap.
I wouldn't risk using anything but Intel with inline netmap. -
I have the same problem. But I found some kind of workaround. I enabled inline mode only for igb0. If I enable for em0 also, it breaks the connection.
So please try this and tell me if it's working:
Enable in-line for igb0 (make sure igb0 is set to WAN)
Enable legacy mode for em0 (make sure em0 is set to LAN) -
Redyr,
I was using only one interface, WAN. Which is on igb2. I am currently not using the em interfaces.
LAN is igb3 and the email server I want to protect is on igb0So, are you saying change the WAN to igb0? Would netmap like igb0 better?
I really only need Suricata inline on the WAN interface with a few simple custom rules I am currently using in Snort. (Example shown previously)By the way, I did disable snort when running Suricata, and Suricata worked ok in legacy mode, just like Snort.
Thanks
Dan -
Redyr,
I was using only one interface, WAN. Which is on igb2. I am currently not using the em interfaces.
LAN is igb3 and the email server I want to protect is on igb0So, are you saying change the WAN to igb0? Would netmap like igb0 better?
I really only need Suricata inline on the WAN interface with a few simple custom rules I am currently using in Snort. (Example shown previously)By the way, I did disable snort when running Suricata, and Suricata worked ok in legacy mode, just like Snort.
Thanks
DanI have only 2 interfaces on my pfsense hardware, both with Intel chipsets, but the pfsense sees them as igb0 and em0. When I enabled Suricata Inline mode to WAN - igb0, all was fine, but when I tried to enable Inline mode for the LAN - em0 interface also, I could not access my pfsense box anymore (because the traffic was blocked). If you only use igb0 interfaces, I dont't know what advice to offer. I for one found this workaround, and I thought to share. The workaround that I speak of is only enable Inline mode for igb0, and for em0, only run Suricata in legacy mode like Snort. This is the only way it works for me. But I think you have a different problem. Sorry if I was misleading in any way
Try to use suricata in Legacy mode, until the next version. On this forums I only found that Suricata Inline mode have some issues with netmap, but I did not find any resolution about it. Please share if you find any resolution.
10x