Suricata inline not working

dcol

After reading about the benefis of running Suricata in inline mode, I decided to give it a go.
I first setup Suricata to run in Legacy mode to test it and everything seem to work just like Snort.
I only used one custom rule and no others for testing.
Here is the rule I used:

alert tcp $EXTERNAL_NET any -> any 25 (msg:"SMTP .top Bad TLD"; threshold: type limit, track by_src, count 1, seconds 60; content:".top>"; nocase; classtype:unsuccessful-user; sid:9000031; rev:2;)

When in legacy mode this rule will block any TLD of .top. When I switch to inline mode, as soon as a rule match arrives it kills the interface and I have to restart the pfsense box. There are no alerts or errors in the logs. I also tried this as a drop rule. Same outcome.

My pfsense box uses 4-igb and 2-em Intel NICs. When Suricata starts, in inline mode, the log shows successful loading of NICs and rules. No errors.

Any ideas. I really want to help get this working.

dcol

I noticed an update to Suricata to version 3.1.1 that address some of these issues.

Is there a way I can manually apply this update? I am not a Linux guru, so be gentle.

Wisiwyg

Hang tight. BMeeks is working on the package, now that it has been released by the maintainer. He'll have it available in Suricata soon.

Note there was also a question of whether netmap was working properly for in-line mode because of issues with some NICs. I'm not sure if that latest update made it to the pfSense codebase yet.

dcol

Thanks for that update. I have igb and em NIC's in my box both were listed as compatible with netmap.
I wouldn't risk using anything but Intel with inline netmap.

Guest

I have the same problem. But I found some kind of workaround. I enabled inline mode only for igb0. If I enable for em0 also, it breaks the connection.

So please try this and tell me if it's working:

Enable in-line for igb0 (make sure igb0 is set to WAN)
Enable legacy mode for em0 (make sure em0 is set to LAN)

dcol

Redyr,
I was using only one interface, WAN. Which is on igb2. I am currently not using the em interfaces.
LAN is igb3 and the email server I want to protect is on igb0

So, are you saying change the WAN to igb0? Would netmap like igb0 better?
I really only need Suricata inline on the WAN interface with a few simple custom rules I am currently using in Snort. (Example shown previously)

By the way, I did disable snort when running Suricata, and Suricata worked ok in legacy mode, just like Snort.

Thanks
Dan

Guest

@dcol:

Redyr,
I was using only one interface, WAN. Which is on igb2. I am currently not using the em interfaces.
LAN is igb3 and the email server I want to protect is on igb0

So, are you saying change the WAN to igb0? Would netmap like igb0 better?
I really only need Suricata inline on the WAN interface with a few simple custom rules I am currently using in Snort. (Example shown previously)

By the way, I did disable snort when running Suricata, and Suricata worked ok in legacy mode, just like Snort.

Thanks
Dan

I have only 2 interfaces on my pfsense hardware, both with Intel chipsets, but the pfsense sees them as igb0 and em0. When I enabled Suricata Inline mode to WAN - igb0, all was fine, but when I tried to enable Inline mode for the LAN - em0 interface also, I could not access my pfsense box anymore (because the traffic was blocked). If you only use igb0 interfaces, I dont't know what advice to offer. I for one found this workaround, and I thought to share. The workaround that I speak of is only enable Inline mode for igb0, and for em0, only run Suricata in legacy mode like Snort. This is the only way it works for me. But I think you have a different problem. Sorry if I was misleading in any way

Try to use suricata in Legacy mode, until the next version. On this forums I only found that Suricata Inline mode have some issues with netmap, but I did not find any resolution about it. Please share if you find any resolution.

10x