4. Suricata IDS/IPS (Inline Mode / Netmap / Error Messages)

Suricata IDS/IPS (Inline Mode / Netmap / Error Messages)

  • K

    Hi all, i'm testing my NIC compatibility with inline mode / netmap, after few testing I ran into problems and receiving all sorts of error messages under different controls of native and emulated adapter mode via "dev.netmap.admode" system tunable.

    I have a PCI-e network adapter installed, it's a "Dell 0HM9JY Intel® 82576 Gigabit ET quad port NIC (Intel PRO/1000 ET)" and I'm having issues with Suricata IDS/IPS while using "inline mode" that utilises netmap, pfsense is running as a guest VM and have another guest VM running Windows OS as a client (to trigger alerts), my host VM is running on a Windows OS (i'm just testing inline mode before deploying it).

    On my guest VM pfsense I have two network adapters - WAN is bridged and LAN is on a 'LAN Segment', the other guest VM on Windows OS has a single adapter connected to the 'LAN Segment'.

    On pfsense I have turned off 'hardware-based checksums', 'TCP segmentation offloading' and 'large receive off-loading', I've created and selected 'dropsid.conf' on drop sid list.

    I receive different error messages when i change "dev.netmap.admode" system tunable and reboot pfsense as shown in the images below:

    dev.netmap.admode=0

    dev.netmap.admode=1

    dev.netmap.admode=2

    I read that when you increase "dev.netmap.buf_size" from 2048 to 4096 pfsense stops receiving those error messages, although I'm not sure if that would break something else while fixing another thing.

    I don't know how to get inline-mode working properly with the NIC I have on a VM (vmware).

    After looking through the forums and a bit of googling, it seems like others are also receiving similar issues using Suricata on inline mode, they use the following network adapters:
    Intel i340, i350/v2, i210, i211, i217 ,i219, PRO/1000, 82575/82576/82579/82580 and Realtek RTL8168B.

    I also read that PRO/10GbE adapters work with inline netmap but have massive throughput decrease.

    edit #1: I have modified the guest VM (pfsense) and increase the RAM from 2048 to 6144, I've added the following tunables:
    dev.netmap.admode=0
    dev.netmap.buf_size=4096

    now i'm getting the following messages on pfsense:

    edit #2: I found a pattern on the client causing the error messages on pfsense. I'm still using inline mode, I was able to replicate the errors by doing a few speed test via speedtest.net.
    Tunables are still set to:
    dev.netmap.admode=0
    dev.netmap.buf_size=4096

    The error messages I receive on pfsense:

    WAN Alerts

    LAN Alerts

    0

  • The only issue I have had is the netmap_grab_packets and the only adjustment I have done is the potential solution that you have read which has been running smoothly except for the one encounter mentioned. Of course, mine wasn't a VM. I will update my thread later this week. I would not mess with dev.netmap.admode nor try to "tune" the NIC…I have found that the tuning made things only worst. Be also sure to disable the items recommended in System > Advanced > Networking.

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy