Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata behind HA Proxy - Only run in IDS mode

    Scheduled Pinned Locked Moved IDS/IPS
    11 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      michmoor LAYER 8 Rebel Alliance
      last edited by michmoor

      Greetings,
      Just want to confirm my set up here.
      I have an interface that is my DMZ that HA proxy will initiate traffic towards for from Internet-bound IPs.

      Most of the backend communications is on port 80,. Is this is the logical place to have suricata running? I believe it is as i cant put Suricata anywhere else as it will be all TLS flows.
      This brings up two issues.

      1. The source IP of any traffic will be the firewall itself (HA Proxy).
      2. I cant run Suricata in IPS mode as any block will block traffic from the firewall itself. Am I really limited to IDS mode if i run it behind HA Proxy?

      Firewall: NetGate,Palo Alto-VM,Juniper SRX
      Routing: Juniper, Arista, Cisco
      Switching: Juniper, Arista, Cisco
      Wireless: Unifi, Aruba IAP
      JNCIP,CCNP Enterprise

      bmeeksB 1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks @michmoor
        last edited by

        @michmoor said in Suricata behind HA Proxy - Only run in IDS mode:

        I cant run Suricata in IPS mode as any block will block traffic from the firewall itself. Am I really limited to IDS mode if i run it behind HA Proxy?

        If you use inline IPS mode, then you should be okay as that mode does not block an entire IP address. It simply drops particular offending traffic flows (but not every flow on the interface). Inline IPS mode does not block by blocking an IP address -- only Legacy Mode does that.

        If you are forced to use Legacy Mode due to some other dependency, then it is true that IDS mode is what you need (then with no ability to block traffic).

        M 1 Reply Last reply Reply Quote 0
        • M
          michmoor LAYER 8 Rebel Alliance @bmeeks
          last edited by

          @bmeeks
          I should mention this is a trunk port
          So it looks like this

          igc2.14
          

          I can still run INLINE, right? I know there was some issue about sub-interfaces and it not being a real interface.

          Firewall: NetGate,Palo Alto-VM,Juniper SRX
          Routing: Juniper, Arista, Cisco
          Switching: Juniper, Arista, Cisco
          Wireless: Unifi, Aruba IAP
          JNCIP,CCNP Enterprise

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @michmoor
            last edited by

            @michmoor said in Suricata behind HA Proxy - Only run in IDS mode:

            @bmeeks
            I should mention this is a trunk port
            So it looks like this

            igc2.14
            

            I can still run INLINE, right? I know there was some issue about sub-interfaces and it not being a real interface.

            The GUI code will work under the cover to run Suricata on the parent interface instead of the VLAN. VLANs are not well supported with netmap. There is also an issue with how netmap parses VLAN interface names in FreeBSD, so if a true VLAN interface is passed to netmap it will throw a syntax error on the name and bail out. A fix has been submitted upstream for that, but I'm not sure that fix has migrated into pfSense yet.

            You can try to see if it works. Worst that can happen is it won't work at all (as in Suricata won't start up).

            M 1 Reply Last reply Reply Quote 0
            • M
              michmoor LAYER 8 Rebel Alliance @bmeeks
              last edited by michmoor

              @bmeeks
              I'll take the win when i can. Rule reload complete. So far its enabled on a sub-interface.

              So to confirm, Suricata is running on the parent interface?
              Suricata is looking specifically at flows matching that interface or ALL flows on the parent. Confused on what will actually trigger.

              I am using SID Mgmt to manage the categories. I noticed that they are set to drop as that's what i want but under the Categories list they are just checked off.
              For example,: attack_response rules don't show that its enabled by SID mgmt conf files.

              Maybe just GUI representation. But the rules are set to drop so that's good.

              058ab08f-41ab-4138-acc6-8b76343a7f4d-image.png

              Firewall: NetGate,Palo Alto-VM,Juniper SRX
              Routing: Juniper, Arista, Cisco
              Switching: Juniper, Arista, Cisco
              Wireless: Unifi, Aruba IAP
              JNCIP,CCNP Enterprise

              bmeeksB 2 Replies Last reply Reply Quote 0
              • bmeeksB
                bmeeks @michmoor
                last edited by

                @michmoor said in Suricata behind HA Proxy - Only run in IDS mode:

                ALL flows on the parent.

                Suricata by default puts the monitored interface in promiscuous mode, so it is seeing every packet that hits the interface.

                But how the enabled rules actually respond to that traffic is controlled by the content of the $HOME_NET and $EXTERNAL_NET variables. Most rules use those two variables along with a direction operator to put conditions around when they trigger. The IP addresses in those variables will be pulled from how the VLAN interface is configured in pfSense.

                1 Reply Last reply Reply Quote 1
                • bmeeksB
                  bmeeks @michmoor
                  last edited by bmeeks

                  @michmoor said in Suricata behind HA Proxy - Only run in IDS mode:

                  Maybe just GUI representation. But the rules are set to drop so that's good.

                  You can always see the actual rules' text by going to the RULES tab and selecting Active Rules in the Category drop-down selector. If you have lots of enabled rules, it will take several seconds for the rules to fully populate on the screen. Then you can click on any individual rule and view the literal text for that rule in Suricata.

                  M 1 Reply Last reply Reply Quote 0
                  • M
                    michmoor LAYER 8 Rebel Alliance @bmeeks
                    last edited by

                    @bmeeks
                    ahh spoke to soon. Starting to error out.

                    Based on your previous warning this is probably expected. I will have to operate on IDS mode for now.

                    Mar 26 17:01:58 GAFW kernel: 918.125691 [1843] netmap_ring_reinit        called for igc2 RX2
                    Mar 26 17:01:58 GAFW suricata[8453]: [359719] <Error> -- igc2: error reading netmap data via polling: No error: 0
                    Mar 26 17:01:58 GAFW suricata[8453]: [359760] <Error> -- igc2: error reading netmap data via polling: No error: 0
                    Mar 26 17:01:58 GAFW kernel: 918.140234 [1843] netmap_ring_reinit        called for igc2 RX0
                    Mar 26 17:01:58 GAFW suricata[8453]: [359812] <Error> -- igc2^: error reading netmap data via polling: No error: 0
                    Mar 26 17:01:58 GAFW kernel: 84 rh 210 rc 210 rt 184 hc 183 ht 184
                    Mar 26 17:01:58 GAFW kernel: 918.150166 [1843] netmap_ring_reinit        called for igc2 RX6
                    Mar 26 17:01:58 GAFW suricata[8453]: [359719] <Error> -- igc2: error reading netmap data via polling: No error: 0
                    Mar 26 17:01:58 GAFW kernel: 918.172061 [1843] netmap_ring_reinit        called for igc2 RX0
                    Mar 26 17:01:58 GAFW suricata[8453]: [359719] <Error> -- igc2: error reading netmap data via polling: No error: 0
                    Mar 26 17:01:58 GAFW kernel: 918.191211 [1843] netmap_ring_reinit        called for igc2 RX0
                    Mar 26 17:01:58 GAFW suricata[55451]: [358283] <Error> -- igc2: error reading netmap data via polling: No error: 0
                    Mar 26 17:01:58 GAFW suricata[8453]: [359719] <Error> -- igc2: error reading netmap data via polling: No error: 0
                    Mar 26 17:01:58 GAFW suricata[8453]: [359719] <Error> -- igc2: error reading netmap data via polling: No error: 0
                    Mar 26 17:01:58 GAFW suricata[55451]: [358283] <Error> -- igc2: error reading netmap data via polling: No error: 0
                    Mar 26 17:01:58 GAFW suricata[8453]: [359719] <Error> -- igc2: error reading netmap data via polling: No error: 0
                    Mar 26 17:01:58 GAFW suricata[8453]: [359719] <Error> -- igc2: error reading netmap data via polling: No error: 0
                    Mar 26 17:01:58 GAFW suricata[8453]: [359719] <Error> -- igc2: error reading netmap data via polling: No error: 0
                    Mar 26 17:01:58 GAFW suricata[8453]: [359719] <Error> -- igc2: error reading netmap data via polling: No error: 0
                    Mar 26 17:01:58 GAFW php-fpm[1922]: /rc.newwanip: Removing static route for monitor 8.8.8.8 and adding a new route through 104.13.92.1
                    Mar 26 17:01:58 GAFW suricata[8453]: [359719] <Error> -- igc2: error reading netmap data via polling: No error: 0
                    Mar 26 17:01:58 GAFW suricata[8453]: [359719] <Error> -- igc2: error reading netmap data via polling: No error: 0
                    Mar 26 17:01:58 GAFW php-fpm[1922]: /rc.newwanip: Removing static route for monitor 8.8.4.4 and adding a new route through 10.2.0.1
                    Mar 26 17:01:58 GAFW suricata[8453]: [359719] <Error> -- igc2: error reading netmap data via polling: No error: 0
                    Mar 26 17:01:58 GAFW suricata[55451]: [358283] <Error> -- igc2: error reading netmap data via polling: No error: 0
                    Mar 26 17:01:58 GAFW kernel: 918.310742 [1803] nm_rxsync_prologue        igc2 RX0: fail 'head < kring->nr_hwcur && head > kring->nr_hwtail' h 455 c 455 t 451 rh 455 rc 455 rt 451 hc 590 ht 451
                    Mar 26 17:01:58 GAFW suricata[8453]: [359719] <Error> -- igc2: error reading netmap data via polling: No error: 0
                    Mar 26 17:01:58 GAFW suricata[8453]: [359719] <Error> -- igc2: error reading netmap data via polling: No error: 0
                    Mar 26 17:01:58 GAFW suricata[8453]: [359719] <Error> -- igc2: error reading netmap data via polling: No error: 0
                    Mar 26 17:01:58 GAFW arpwatch[27291]: b0:09:da:27:8a:5d sent packet not ETHERTYPE_IP (0x4c5)
                    Mar 26 17:01:58 GAFW suricata[55451]: [358302] <Error> -- igc2: error reading netmap data via polling: No error: 0
                    Mar 26 17:01:58 GAFW suricata[55451]: [358302] <Error> -- igc2: error reading netmap data via polling: No error: 0
                    Mar 26 17:01:58 GAFW suricata[8453]: [359742] <Error> -- igc2: error reading netmap data via polling: No error: 0
                    Mar 26 17:01:58 GAFW kernel: 918.863809 [1803] nm_rxsync_prologue        igc2 RX1: fail 'head < kring->nr_hwcur && head > kring->nr_hwtail' h 665 c 665 t 664 rh 665 rc 665 rt 664 hc 686 ht 664
                    
                    

                    Firewall: NetGate,Palo Alto-VM,Juniper SRX
                    Routing: Juniper, Arista, Cisco
                    Switching: Juniper, Arista, Cisco
                    Wireless: Unifi, Aruba IAP
                    JNCIP,CCNP Enterprise

                    1 Reply Last reply Reply Quote 0
                    • bmeeksB
                      bmeeks
                      last edited by bmeeks

                      As I mentioned, the netmap device and VLANs really do not like each other 🙂.

                      Inline IPS Mode should really only be used with true native physical interfaces (no VLANs, no Bridges, and no LAGGs).

                      If you have enough physical interfaces on your firewall box, why use a VLAN in the first place? Just install a dedicated switch for the DMZ and connect it directly to a physically-mapped interface on pfSense.

                      It seems folks today want to immediately implement VLANs, but that brings a level of complexity into the design as well as potentially causing compatibility issues (the netmap and inline IPS mode incompatibility being one example). Often simply using a separate switch and a dedicated physical interface on the firewall can work just fine (and be quite a bit simpler to implement and maintain).

                      M 2 Replies Last reply Reply Quote 0
                      • M
                        michmoor LAYER 8 Rebel Alliance @bmeeks
                        last edited by

                        @bmeeks said in Suricata behind HA Proxy - Only run in IDS mode:

                        Often simply using a separate switch and a dedicated physical interface on the firewall can work just fine (and be quite a bit simpler to implement and maintain).

                        For sure in much smaller environments especially one that i am working on right now. I have a 6100 so i do have a spare interface.
                        But its not uncommon to have a single interface trunking multiple zones. Company i work for now has multiple DMZ zones off a parent interface. Sometimes design dictates choices.

                        Firewall: NetGate,Palo Alto-VM,Juniper SRX
                        Routing: Juniper, Arista, Cisco
                        Switching: Juniper, Arista, Cisco
                        Wireless: Unifi, Aruba IAP
                        JNCIP,CCNP Enterprise

                        1 Reply Last reply Reply Quote 0
                        • M
                          michmoor LAYER 8 Rebel Alliance @bmeeks
                          last edited by

                          @bmeeks
                          I really appreciate your help with answer my questions yesterday.

                          Had to change a few backend services to listen on port 80 or another custom port (if its docker) that still sends data in the clear; in my case port 5100

                          So to answer anyone else's questions that stumble upon this post.

                          1. Have Suricata listen in on the backend communications where the servers are located and make sure that backend communication is in clear text and not https. Some folks like to enable https on the backend as well but then you hurt your IDS chances of scanning payloads and alerting.

                          2. As of now netmap only works on physical interfaces - no vlans. no trunking. I ended up breaking traffic flow to my DMZ segment yesterday due to netmap errors.

                          Firewall: NetGate,Palo Alto-VM,Juniper SRX
                          Routing: Juniper, Arista, Cisco
                          Switching: Juniper, Arista, Cisco
                          Wireless: Unifi, Aruba IAP
                          JNCIP,CCNP Enterprise

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.