Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata drop all outgoing traffic

    Scheduled Pinned Locked Moved IDS/IPS
    8 Posts 6 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      padpn
      last edited by

      Hello!

      After enabling suricata in Inline mode it drop all outgoing traffic on interface.

      I'm runnung pfSense 2.3.3-RELEASE-p1 and suricata 3.1.2_2
      My ethernet adapter is intel i340

      1 Reply Last reply Reply Quote 0
      • D
        Digital_ADHD
        last edited by

        @padpn:

        Hello!

        After enabling suricata in Inline mode it drop all outgoing traffic on interface.

        I'm runnung pfSense 2.3.3-RELEASE-p1 and suricata 3.1.2_2
        My ethernet adapter is intel i340

        In your block list do you see LAN or WAN addresses?

        You could go to https://routername_or_ipaddress/suricata/suricata_alerts.php and see which rule is getting triggered.

        I am very new so when I set this up I a rule configured that was alerting on UDP 53 invalid ipv4 checksum, and was blocking all of the Root DNS servers, basically blocking and internet traffic that was doing a dns query first.

        This fell under the 2200000-2200999 Suricata Decoder Events.

        I set the following in my supression list.

        #SURICATA UDPv4 invalid checksum
        suppress gen_id 1, sig_id 2200075

        Anyway the important thing to start with is see what is being triggered via the alert tab, or Firewall logs.

        Maybe, lol, i hope this helps.

        1 Reply Last reply Reply Quote 0
        • P
          padpn
          last edited by

          I know that predefined rules generate a lot of alerts, so I disabled them all and created just one custom rule to filter flood by ttl.

          After that i tried to create "pass" rule for outgoing traffic, but there is no matter.

          I think it is some kind of bug with suricata or netmap (((

          I have plan to go back to Linux+iptables. It is very easy with iptables to filter traffic by content.

          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned
            last edited by

            Ditch the inline mode, it's buggy like hell, plus does not exactly make much difference when it comes to security. Just way more PITA that it's worth ATM.

            1 Reply Last reply Reply Quote 0
            • P
              padpn
              last edited by

              I just tested it on VPS(xenserver 6.5 sp1) and there is no such bug with outgoing traffic.
              All my drop rules work grate.

              I will try to reinstall Pfsense on my barelmetal server and try suricata again.

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by

                @padpn:

                I just tested it on VPS(xenserver 6.5 sp1) and there is no such bug with outgoing traffic.
                All my drop rules work grate.

                I will try to reinstall Pfsense on my barelmetal server and try suricata again.

                It has been stated many times here.  Inline mode for Suricata depends on Netmap.  Netmap in turn must be supported by the underlying NIC driver.  Only a very few NICs support Netmap at all, and even fewer of those support it perfectly (as in work without any issues).  The Dok is correct that inline mode is still suffering growing pains.  If you have one of the "perfectly supported" NICs and don't use traffic shapers and don't use VLANs, then inline IPS can work great.  There are issues with traffic shapers and VLANs at the moment, though.  I believe the pfSense core team has plans to address those in the near future.  So if you have issues with inline mode, just switch over to Legacy Mode until all the inline problems get sorted out.

                Bill

                1 Reply Last reply Reply Quote 0
                • J
                  JSONSec
                  last edited by

                  I have the same issue.

                  I hope pfsense 2.4 and therefore the move to FreeBSD 11 will improve Netmap support considerably.

                  1 Reply Last reply Reply Quote 0
                  • P
                    pfBasic Banned
                    last edited by

                    I'm using 2.4, it's great and very stable but no different than 2.3.x as far as this issue goes (in practice at least). Tried it with PRO/1000 & i340, no traffic shaper or VLAN. Still doesn't work yet. Just give it time.

                    As dok stated, security wise about the only difference is that legacy will allow a few packets before it blocks the IP and kills the state.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.