Suricata Inline IDS not filtering IPv4

  • Hi,

    I have been running Suricata Inline mode on my XG-1541 for quite some time now. I upgraded to the pfSense 2.4 Beta recently and have noticed that all my rules and suricata's rules based around IPv4 aren't working! For some reason it seems to allow all IPv4 traffic through and no alerts are generated. IPv6 is still working fine though.

    Here is an example
    After adding the following rule to custom.rules:

    drop ip [,] any <> $HOME_NET any (msg:"Suspicious Botnet Blocked";)

    Expected behaviour:
    Block any traffic flowing from listed IPs - Regardless of Inline or Legacy mode

    Actual behaviour:
    Blocks traffic and adds message to alerts in Legacy mode. In Inline mode nothing happens and traffic is allowed through.

    Other observations:
    On further inspection it would seem that since the pfSense 2.4.0 update no IPv4 rules are being blocked in Inline mode at all. Note that the addresses tested are IPv4 and that this observation regarding lack of IPv4 blocking may be part or all of the issue. The IPv4 addresses in the above rule are not part of the $HOME_NET they are a completely separate public facing IPv4 address.

    Any ideas on how to correct this issue with Inline mode?


Log in to reply