4. Suricata Inline mode NO Alert NO Drop

Suricata Inline mode NO Alert NO Drop

  • M

    Hi,

    I'm running pfSense on an ESXi6 virtual machine with vmxnet3 network drivers (open-vmtools installed). It is set up as a transparent firewall with bridge interfaces. Packet filtering occurs on bridge interfaces only (system_tunables).
    Suricata setup:

    • snort rules downloaded and updated
    • bridge interface configured for inline mode, block offenders, custom home_net
    • dropsid.conf configured for dropping all snort_ rules, applied to bridge interface

    Suricata is running fine without errors however no alert or drop shows up in the logs.
    If I change to legacy mode log is full of dropped contents.
    What am I missing here? Any advice?

    My version:  2.3.2-RELEASE-p1 (amd64) built on Tue Sep 27 12:13:07 CDT 2016 FreeBSD 10.3-RELEASE-p9
    Suricata version: 3.0_9

    Thanks
    mind12

    0
  • V

    You should configure for suricata one of bridged interfaces instead of bridge interface.

    0
  • M

    I have alredy tried that without success.
    Fortunately I solved the problem. As I suspected the problem was the vmxnet3 drivers. Netmap doesn't support it.
    Alerts appeared using Suricata inline with E1000 drivers on one of my bridge interfaces.
    I found this reference in another post:
    https://www.freebsd.org/cgi/man.cgi?query=netmap&apropos=0&sektion=4&manpath=FreeBSD+10.2-RELEASE&arch=default&format=html#SUPPORTED_DEVICES

    Lesson: DON'T use VMXNET3 with Suricata INLINE mode!

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy