Suricata not respecting disabled promiscuous mode on LAN interface - Still seeing VLAN traffic
-
I've been running Suricata for a while now without issue, but I'd like to have it separated for each VLAN so that I can customize rules. That's a preference. My main objective is to have a DMZ interface that avoids Suricata entirely.
I've been running Suricata on my LAN interface and it inspects all traffic. From what I've read, I thought I should be able to set up Suricata on each interface I wish to inspect, and disable promiscuous mode. That way, I can leave the DMZ VLAN out entirely.
I did this, however, the LAN interface is still picking up traffic from all VLAN's. It is a physical trunk port, so I'm guessing that could be related. I'm using legacy mode. Does anyone have any suggestions on how to either:
-
Have Suricata run on the LAN interface without inspecting VLAN traffic
-
Have Suricata disregard a host or subnet entirely?
Thanks
-
-
Are you restarting Suricata on the interfaces after making changes? When you make changes on the INTERFACE SETTINGS tab, they are not dynamic. You need to save the change, then go to the INTERFACES tab and restart Suricata on the interface to activate the change.
However, it is normal to see all VLAN traffic when you run Suricata on the parent interface of VLANs. That's because all of that traffic is going across the parent's physical interface.
-
Yep, I'm definitely restarting. If that is expected behavior, then what is the purpose of promiscuous mode? Any way to avoid this behavior? Thanks
-
I'm a bit confused, inline mode?
-
@sef1414 said in Suricata not respecting disabled promiscuous mode on LAN interface - Still seeing VLAN traffic:
then what is the purpose of promiscuous mode?
To pass traffic that is not specific to that interfaces mac, that is sees.. In non promiscuous mode the nic will normally just drop traffic that is not sent to its mac, or that is not broadcast or multicast..
vlan traffic is sent to the parent interfaces mac..
-
@johnpoz Thanks for the clarification. Is there a recommended method for getting specific traffic to bypass inspection? I think pass rules will work for specified hosts / subnets, but I'd prefer to not even have that traffic inspected in the first place. It seems like that would cause increased workload and perhaps increased latency.
-
@sef1414 said in Suricata not respecting disabled promiscuous mode on LAN interface - Still seeing VLAN traffic:
@johnpoz Thanks for the clarification. Is there a recommended method for getting specific traffic to bypass inspection? I think pass rules will work for specified hosts / subnets, but I'd prefer to not even have that traffic inspected in the first place. It seems like that would cause increased workload and perhaps increased latency.
I'll answer for John since I am the creator of the Suricata package on pfSense. The short answer is a Pass Rule defined in "Custom Rules" is the method to bypass inspection for an IP or an entire subnet. The pass rules are the very first rules checked, and a match there immediately terminates further inspection for that packet.
The other method is to just not put a Suricata instance on the interface. VLANs are a special case because of the parent-child relationship. So if you have Suricata instances on the VLANs, and on the parent interface, you will inspect the traffic multiple times.
In your case, unless the rules are really different, I would put Suricata on the parent interface (LAN in your setup) and call it a day. Sure you will be inspecting DMZ traffic as well, but the performance penalty is not really that great unless we are talking near wirespeed traffic on a Gigabit interface.
-
@bmeeks Awesome. Thanks for the answer, and thanks for the package. That makes sense. I'll just revert back to using only the LAN interface and input a bypass rule for the DMZ subnet.