Alert [SURICATA IPv4 padding required] - Blocks Hosts - Unable to stop

  • Hello,

    I'm currently using the following pfSense release:

    pfSense: 2.4.3-RELEASE (amd64)
    Suricata: 4.0.4
    On an Asus P10S-I motherboard, which has 2 x Intel® I210AT NICs.

    The WAN (Outside) interface is connected to an upstream router. Not sure if it is of importance, but the pfsense "Outside" interface uses private RFC1918 addressing.

    The pfSense routing function work fine. However, I want to improve security and therefore installed Suricata on the WAN (outside) interface.

    However, since doing this, I get the following alert generated numerous times:

    Proto     Class               GID:SID Description
    IGMP     Generic Protocol Command Decode 1:2200007           SURICATA IPv4 padding required

    This alert blocks multiple hosts, which is detrimental to my traffic flows.

    I've tried adding the SID [2700007] to the 'disablesid.conf' and applied within "SIG Mgmt". However, it doesn't appear to take effect. The alert / block is still persistent.

    I've also disabled the particular rule within the GUI (under Outside interface, within OUTSI rules). Again no success. It still keeps alerting/blocking.

    I've also applied to the supress list for the 'Outside' interface, for example:
    suppress gen_id 1, sig_id 2200007
    But this still doesn't stop the alert / block.

    I've run out of ideas. Does anyone know what invokes this alert, how may I stop it, or disable it?
    Basically, this alert/block makes my pfSense router unusable with Suricata activated.

    Kind regards.

  • I get them also; however, in my case though, my neighbor and I share the Internet so I ignore them because it's my neighbor's devices. It seems that your situation is similar to mine based on your WAN using RFC1918.

Log in to reply