Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata Inline IPv4 rules not triggering

    Scheduled Pinned Locked Moved 2.4 Development Snapshots
    2 Posts 2 Posters 644 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jameswebb
      last edited by

      Hi,

      I have been running Suricata Inline mode on my XG-1541 for quite some time now. I upgraded to the pfSense 2.4 Beta recently and have noticed that all my rules and suricata's rules based around IPv4 aren't working! For some reason it seems to allow all IPv4 traffic through and no alerts are generated. IPv6 is still working fine though.

      Here is an example
      After adding the following rule to custom.rules:

      drop ip [108.74.97.21, 82.132.247.191] any <> $HOME_NET any (msg:"Suspicious Botnet Blocked";)
      

      Expected behaviour:
      Trigger an Alert and block the packets from the listed IPs - Regardless of Inline or Legacy mode

      Actual behaviour:
      Blocks traffic and adds message to Alerts in Legacy mode. In Inline mode nothing happens and traffic is allowed through - no Alerts are generated.

      Other observations:
      On further inspection it would seem that since the pfSense 2.4.0 update no IPv4 rules are being Alerted in Inline mode at all. Note that the addresses tested are IPv4 and that this observation regarding lack of IPv4 alert triggering may be part or all of the issue. The IPv4 addresses in the above rule are not part of the $HOME_NET they are a completely separate public facing IPv4 address.

      Any ideas on how to correct this issue with Inline mode?

      James

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        Please, don't multipost. https://forum.pfsense.org/index.php?topic=125239.0

        In general, I'd avoid the badly broken netmap thing altogether.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.