Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Suricata, Netmap, Realtek

    IDS/IPS
    4
    6
    1260
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • U
      usual last edited by

      Does suricata work with Realtek nic's?

      Opnsense recently made the move to the official Realtek drivers and it is supposed to work.

      Does it work in pfsense? Inline ips?

      From searching the forum I can't get a clear I understanding.

      If anyone knows for sure, I'd appreciate the confirmation one way or the other.

      1 Reply Last reply Reply Quote 0
      • U
        usual last edited by

        I enabled suricata and ET rules with inline ips blocking.

        I also enabled snort registered rules.

        ET rules are triggering so that is great but it doesn't appear to be blocking anything even though the option is checked to block inline.

        No snort rules have triggered yet.

        Any idea what could be causing it not to block?

        1 Reply Last reply Reply Quote 0
        • U
          usual last edited by

          SUCCESS! I see a rule blocked something.

          Great news. None of the Snort rules seem to trigger but ET appears to be working and blocking.

          I don't see how you unblock or whitelist an IP when using inline IPS blocking though.

          1 Reply Last reply Reply Quote 0
          • R
            Redyr Banned last edited by

            It's pretty easy, look in the Alerts tab, and you will have alerts for WAN and for LAN, you can whitelist by IP, or by Ruleset. If you hover your mouse pointer over the plus (+) sign I think, it will show you a description of the action it will take, if you click on it, which is whitelist. Try to play with pfSense at home or install it as a VM, after you understand the logic, it's pretty easy.

            Inline mode doesn't permanently block an IP, only legacy mode does that. So there's no need to unblock an IP, only to whitelist the IP, or suppress the rule, if you have issues.

            1 Reply Last reply Reply Quote 0
            • J
              johnabbot last edited by

              I've tried mine, a  Realtek RTL8168B, handled by re(4) and it doesn't appear to work on 2.4

              Does anyone have a recommendations for a card that is working well with inline under 2.4?

              1 Reply Last reply Reply Quote 0
              • K
                K last edited by K

                Hey there, I was searching on the forums and the web to see which network adapters support and work with inline mode - netmap.

                I've found these and not sure if they're fixed in the current version.

                • Inline mode doesn't permanently block an IP, only legacy mode does that.

                • Inline mode breaks traffic shape, legacy mode doesn't

                • Inline mode breaks VLANs, legacy mode doesn't

                • Inline mode prevents packet leakage, legacy mode doesn't

                Apparently there are only a sub-section of hardware that fully supports Netmap…
                Netmap / FreeBSD has issues with Intel i340, i350/v2, i210, i211, i217 ,i219, PRO/1000, 82575/82576/82579/82580 and Realtek RTL8168B NIC's.

                @bmeeks:

                Netmap compatibility must exist at the software layer where the NIC driver meets the operating system…
                There have been (and probably still are) some issues/bugs in both the FreeBSD implementation of Netmap and in Suricata's use of Netmap.

                I have a Dell 0HM9JY Intel 82576 Gigabit ET quad port NIC (Intel PRO/1000 ET) and have the same error messages:

                
                549.863394 [1071] netmap_grab_packets	bad pkt at 91 len 2164
                549.864619 [1071] netmap_grab_packets	bad pkt at 95 len 2163
                550.034152 [1071] netmap_grab_packets	bad pkt at 197 len 2164
                550.035448 [1071] netmap_grab_packets	bad pkt at 199 len 2164
                
                

                I have also turned off hardware-based checksums, TCP segmentation offloading and LRO (Large Receive Offloading), then reboot pfsense. Error still persists and doesn't seem to work properly or as intended.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post

                Products

                • Platform Overview
                • TNSR
                • pfSense
                • Appliances

                Services

                • Training
                • Professional Services

                Support

                • Subscription Plans
                • Contact Support
                • Product Lifecycle
                • Documentation

                News

                • Media Coverage
                • Press
                • Events

                Resources

                • Blog
                • FAQ
                • Find a Partner
                • Resource Library
                • Security Information

                Company

                • About Us
                • Careers
                • Partners
                • Contact Us
                • Legal
                Our Mission

                We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                Subscribe to our Newsletter

                Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                © 2021 Rubicon Communications, LLC | Privacy Policy