4. Suricata inline mode breaking barnyard2

Suricata inline mode breaking barnyard2

  • H

    Howdy, I was experimenting with inline blocking mode and somehow this has managed to break the integration with barnyard2. Now barnyard2 refuses to start with the following error:

    FATAL ERROR: [ParseSidMapLine()], File [/usr/local/etc/suricata/suricata_47561_igb0/sid-msg.map], Error in map definition [1 || 1000001 ||  || NOCLASS || 0 || Pass List Entry - allow all traffic from/to 10.10.10.1/32] for value []

    This does not occur on other interfaces with barnyard2 turned on and seems to be isolated to the WAN interface.

    Any ideas on further troubleshooting or remediation steps? Thanks!

    0
  • H

    So I made some progress on this; the issue is that suricata is not properly generating the passlist rules for sid-msg.map (it's omitting a 'rev' column) which I think is what is tripping up barnyard2.

    I was able to disable/enable blocking to get the passlist entries no longer added to the .map file, but it seems like they get put back in if I switch over to inline.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy