Suricata pass list ignored
-
@bmeeks What about putting some debug outputs around this in one of the future versions? We could then see if the radix tree match is unsuccessful or if it is working and it is a threading problem.
-
@j-koopmann said in Suricata pass list ignored:
@bmeeks What about putting some debug outputs around this in one of the future versions? We could then see if the radix tree match is unsuccessful or if it is working and it is a threading problem.
That is an idea for the future. I am hopeful the move to
iflibin FreeBSD 12, and some coming improvements to netmap support in Suricata, will lead to the custom Legacy Blocking Mode module used on pfSense being abandoned. It is not an ideal solution. It's too big of a hammer to block all traffic from a host because of a single alert. Better to use the Inline IPS Mode and just selectively drop bad packets instead of completely blocking the host IP.Before the move to the
iflibwrapper for NIC drivers in FreeBSD 12, your particular NIC hardware driver had to be patched to support netmap operation (and thus support inline IPS mode in Suricata). That limited the configurations where you could use netmap. Now,iflibwraps the netmap support up natively in FreeBSD and relieves the NIC driver from having to worry about it. There are perhaps still a few rough patches withifliband netmap, but those should get smoothed out in future FreeBSD updates. But over time I'm hopeful that netmap and Inline IPS Mode will become how you "block" in Suricata. And the Legacy Blocking Mode and its custom module will disappear. -
Here is the Redmine link:
https://redmine.pfsense.org/issues/12899 -
This post is deleted! -
@wexi Not sure it is the same problem. The pass list IS being obeyed. It is just that it seems to only handle IP addresses and not ranges (or at least in some circumstances). I fail to see how your post is related.
Are you having the range problem as well?
