Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Alert [SURICATA IPv4 padding required] - Blocks Hosts - Unable to stop

    Scheduled Pinned Locked Moved IDS/IPS
    2 Posts 2 Posters 958 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pcm
      last edited by

      Hello,

      I'm currently using the following pfSense release:

      pfSense: 2.4.3-RELEASE (amd64)
      Suricata: 4.0.4
      On an Asus P10S-I motherboard, which has 2 x Intel® I210AT NICs.

      The WAN (Outside) interface is connected to an upstream router. Not sure if it is of importance, but the pfsense "Outside" interface uses private RFC1918 addressing.

      The pfSense routing function work fine. However, I want to improve security and therefore installed Suricata on the WAN (outside) interface.

      However, since doing this, I get the following alert generated numerous times:

      Proto     Class               GID:SID Description
      IGMP     Generic Protocol Command Decode 1:2200007           SURICATA IPv4 padding required

      This alert blocks multiple hosts, which is detrimental to my traffic flows.

      I've tried adding the SID [2700007] to the 'disablesid.conf' and applied within "SIG Mgmt". However, it doesn't appear to take effect. The alert / block is still persistent.

      I've also disabled the particular rule within the GUI (under Outside interface, within OUTSI rules). Again no success. It still keeps alerting/blocking.

      I've also applied to the supress list for the 'Outside' interface, for example:
      suppress gen_id 1, sig_id 2200007
      But this still doesn't stop the alert / block.

      I've run out of ideas. Does anyone know what invokes this alert, how may I stop it, or disable it?
      Basically, this alert/block makes my pfSense router unusable with Suricata activated.

      Kind regards.
      Peter.

      1 Reply Last reply Reply Quote 0
      • NollipfSenseN
        NollipfSense
        last edited by

        I get them also; however, in my case though, my neighbor and I share the Internet so I ignore them because it's my neighbor's devices. It seems that your situation is similar to mine based on your WAN using RFC1918.

        pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
        pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.