Suricata inline mode, only OpenVPN interface not generating alerts/dropping

  • Hello!

    Thanks in advance for your interest in this topic!

    Suricata 4.0.1 is configured in inline mode on several interfaces… Two simple LAN interfaces, a primary WAN interface and an OpenVPN interface (dual WAN). One of these LANs is using the OpenVPN interface as its gateway.

    What I'm seeing is pattern matching successfully identifying traffic matching Suricata's loaded rules and corresponding alerts generated as well as traffic dropped on all of the interfaces except the OpenVPN interface.

    Up until very recently I had been using Suricata in Legacy mode on all these interfaces and traffic was successfully able to generate block records on each interface including the OpenVPN interface. I arrived at this conclusion by observing that while in Legacy mode and with Suricata monitoring on the OpenVPN interface only, package management activity was detected/blocked originating from my VPN LAN host when checking for updates.

    When I tried changing the Suricata OpenVPN interface configuration to inline mode (along with all the other Suricata-monitored interfaces,) the same traffic originating from my VPN LAN host was not blocked. Specifically, attempting to update my VPN LAN host's OS was successful and no alerts generated. Only when Suricata was configured on the VPN LAN interface (inline mode) was that traffic detected and blocked. I did double check that there are rules loaded for the OpenVPN interface in suricata's configuration and that blocking was setup correctly there (again its working with the same configuration on other interfaces) so it appears that Suricata cannot perform pattern matching in inline mode on an OpenVPN interface.

    I suspect this issue is related to Inline mode having given me grief when active on an OpenVPN interface on previous verisons of pfSense/Suricata  - In the past this same configuration attempt would result in my WAN IP changing to (down) Now, simply no alerts are generated for suricata on VPN interfaces. Obviously it works fine in Legacy mode for OpenVPN interfaces, so I'm happy to just use legacy mode for OpenVPN interfaces if I need to. That said, is there any configuration I'm not considering that would allow Suricata to generate alerts/drop traffic in inline mode on an OpenVPN interface?

    Thanks for your time!

  • I have the same problem, I was about to make a post for this then I came across this. If there's a solution for this that'd be great, works fine on every interface except my OpenVPN too.

Log in to reply