Suricata Blocking issue
-
I currently run pfsense 2.3.4 under hyper-v. The issue i am experiencing with suricata is when it gets an alert triggered instead of blocking the host that causes the alert it kills the entire interface. I have read how inline is a bit buggy…is this another inline bug for suricata?
-
I currently run pfsense 2.3.4 under hyper-v. The issue i am experiencing with suricata is when it gets an alert triggered instead of blocking the host that causes the alert it kills the entire interface. I have read how inline is a bit buggy…is this another inline bug for suricata?
It's not necessarily a Suricata bug. Inline mode is entirely dependent on Netmap for operation, and Netmap in turn is totally dependent on 100% support from the NIC driver. There are only a tiny handful of NIC drivers that fully support Netmap on FreeBSD. From your experience, it seems the Hyper-V NIC drivers are not on that list. Netmap inserts itself between the NIC and the rest of the operating system. Nothing moves from the Ethernet wire into pfSense (or from pfSense into the Ethernet wire) without going through the Netmap layer. The NIC driver has to understand how to talk to Netmap. Any inconsistencies in how the NIC driver interracts with Netmap will cause problems with Suricata inline mode.
Bill
