Suricata Inline mode NO Alert NO Drop
-
Hi,
I'm running pfSense on an ESXi6 virtual machine with vmxnet3 network drivers (open-vmtools installed). It is set up as a transparent firewall with bridge interfaces. Packet filtering occurs on bridge interfaces only (system_tunables).
Suricata setup:- snort rules downloaded and updated
- bridge interface configured for inline mode, block offenders, custom home_net
- dropsid.conf configured for dropping all snort_ rules, applied to bridge interface
Suricata is running fine without errors however no alert or drop shows up in the logs.
If I change to legacy mode log is full of dropped contents.
What am I missing here? Any advice?My version: 2.3.2-RELEASE-p1 (amd64) built on Tue Sep 27 12:13:07 CDT 2016 FreeBSD 10.3-RELEASE-p9
Suricata version: 3.0_9Thanks
mind12 -
You should configure for suricata one of bridged interfaces instead of bridge interface.
-
I have alredy tried that without success.
Fortunately I solved the problem. As I suspected the problem was the vmxnet3 drivers. Netmap doesn't support it.
Alerts appeared using Suricata inline with E1000 drivers on one of my bridge interfaces.
I found this reference in another post:
https://www.freebsd.org/cgi/man.cgi?query=netmap&apropos=0&sektion=4&manpath=FreeBSD+10.2-RELEASE&arch=default&format=html#SUPPORTED_DEVICESLesson: DON'T use VMXNET3 with Suricata INLINE mode!