Suricata inline mode hides outbound traffic graphs

  • Hello,
    I'm testing suricata inline mode with the 2.4 latest snapshot.
    Not blocking anything, but when the inline mode (not tested the legacy), traffic graphs on the dasnboard and in "Monitoring" doesn't show outbound traffic for any interface configured in suricata.
    If the suricata service is globally or per-interface stopped, outbound traffic is displayed.

    My 2 cts.

  • This is most likely caused by an interaction between Netmap, the kernel network stack, and whatever mechanism the traffic graph uses to get data.  When operating with inline IPS mode blocking, Suricata activates and makes use of the Netmap interface in FreeBSD.  This will insert a Netmap pipe between the interface and the rest of pfSense.

    I created the Suricata package, but I am not familiar with how the traffic graph processes work in pfSense.


  • This is what I've suspected. ;)
    This isn't a blocking bug but this is hiding some usefull information.
    I hope this issue will be resolved soon.
    Anyway, thanks for your answer and I hope the devs can take a look at this issue.

  • Solved with today latest snapshot.
    Thanks to the devs and everyone else. ;D

  • Too quick, my bad…
    First dashboard viewing after the update, showed outbound traffic graphs but after a refresh, it stopped working.
    So still an issue for me.

Log in to reply