Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata Blocking issue

    Scheduled Pinned Locked Moved IDS/IPS
    2 Posts 2 Posters 743 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hescominsoon
      last edited by

      I currently run pfsense 2.3.4 under hyper-v.  The issue i am experiencing with suricata is when it gets an alert triggered instead of blocking the host that causes the alert it kills the entire interface.  I have read how inline is a bit buggy…is this another inline bug for suricata?

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        @hescominsoon:

        I currently run pfsense 2.3.4 under hyper-v.  The issue i am experiencing with suricata is when it gets an alert triggered instead of blocking the host that causes the alert it kills the entire interface.  I have read how inline is a bit buggy…is this another inline bug for suricata?

        It's not necessarily a Suricata bug.  Inline mode is entirely dependent on Netmap for operation, and Netmap in turn is totally dependent on 100% support from the NIC driver.  There are only a tiny handful of NIC drivers that fully support Netmap on FreeBSD.  From your experience, it seems the Hyper-V NIC drivers are not on that list.  Netmap inserts itself between the NIC and the rest of the operating system.  Nothing moves from the Ethernet wire into pfSense (or from pfSense into the Ethernet wire) without going through the Netmap layer.  The NIC driver has to understand how to talk to Netmap.  Any inconsistencies in how the NIC driver interracts with Netmap will cause problems with Suricata inline mode.

        Bill

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.