Suricata & PPPoE Interfaces - Bug Reported to Openinfosecfoundation.org



  • I'm fairly new to pfSense and was attracted to it because of its ability to allow relatively easy administration of Snort/Suricata type IDS/IPS.  I was going to try Suricata but my WAN interface uses PPPoE.  I have seen a few people that have had issues with PPPoE not working and some discussion that it was a problem with the Suricata binary.  I spent a bit of time looking through the Openinfosecfoundation.org Issues database and couldn't find where anyone had actually reported it as a bug.

    Last night I submitted a bug report:

    https://redmine.openinfosecfoundation.org/issues/1445

    Will let you know if/when it gets fixed.

    Greg





  • Indeed it is and that's why I have logged an official bug report.  Openinfosecfoundation.org is the Suricata developer.  While there has been a lot of discussion here, no one seems to have logged it with them.  Within 24 hours of logging the bug they have already generated a patch and I am working with @BMeeks to test it.  Hopefully have some more news in the next few days.



  • A patch was submitted to Github.  Unfortunately it was for the 2.1-BETA code base and not the 2.0.x production tree of Suricata we use in pfSense.  That will slow down my getting something ready for @gsiemon to test for me.  I will get it done, though.  I know a lot of folks want PPPoE support in Suricata.

    Bill



  • Here a PPPOE user too, When can the general public use it?

    Best regards and thanks for testing.



  • @bmeeks:

    A patch was submitted to Github.  Unfortunately it was for the 2.1-BETA code base and not the 2.0.x production tree of Suricata we use in pfSense.  That will slow down my getting something ready for @gsiemon to test for me.  I will get it done, though.  I know a lot of folks want PPPoE support in Suricata.

    Bill

    Count me in!  I'm too so much interested in getting an updated 2.0.x Suricata pfSense package with that PPPoE fix, without waiting for Suricata 2.1 to get out of beta and later for pfSense to re-upgrade to that one.



  • I have the patch back ported to the 2.0.x branch and tested.  I will post it soon for the pfSense Team to review and hopefully approve.  I have been waiting and waiting and waiting for the FreeBSD Port to update to version 2.0.7 of Suricata, but that has still not happened.

    Bill



  • Thanks a lot Bill for your efforts.

    Olivier



  • The pfSense Team is helping push the PPPoE patch for Suricata into the FreeBSD ports tree.  I have been swapping a few e-mails with the required FreeBSD parties to see what we can shake loose.  So be patient a bit longer.  The ideal solution is for the patch to be in FreeBSD ports and then pfSense can just pull from there.  We all like to keep the binary packages on pfSense as close to "pure" with respect to the FreeBSD ports tree as possible.

    Bill



  • Thanks! Excited to go live with suricata :D and PPPOE.



  • Hi All,

    Pfsense is saying–> New version 2.1.4 but still loads 2.06.

    When can we expect the fixed PPPOE?

    Thx all!



  • @mauritsl:

    Hi All,

    Pfsense is saying–> New version 2.1.4 but still loads 2.06.

    When can we expect the fixed PPPOE?

    Thx all!

    We are waiting for the FreeBSD port maintainer to update the Suricata port.  That was supposed to happen last week, but obviously did not.  The pfSense Team is making some other housekeeping changes to packages getting ready to move from PBIs to pkg-ng.  Those changes are likely what is prompting the "new" versions showing up.  They are not really "new".

    Bill



  • Thx Bill for the fast response and work.



  • The Pull Request to post the updated Suricata code has been submitted.  Here is a link for those that want to track the progress:  https://github.com/pfsense/pfsense-packages/pull/875.  Once approved by the pfSense Team and merged, the update will appear as Suricata v2.1.5.  The underlying binary will be version 2.0.8, and it will support PPPoE connections on pfSense.

    Bill



  • For the PPPOE it looks OK now, so I' am/we are one step in the right direction :)

    14/5/2015 – 21:44:52 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
    14/5/2015 -- 21:44:52 - <info>-- Found an MTU of 1492 for 'pppoe0'
    14/5/2015 -- 21:44:52 - <info>-- Set snaplen to 1508 for 'pppoe0'

    Now I get he following:

    14/5/2015 -- 21:44:52 - <error>-- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
    14/5/2015 – 21:44:52 - <error>-- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed

    What can this mean?

    Thx for all your support</error></error></info></info></info>



  • @mauritsl:

    For the PPPOE it looks OK now, so I' am/we are one step in the right direction :)

    14/5/2015 – 21:44:52 - <info>-- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
    14/5/2015 -- 21:44:52 - <info>-- Found an MTU of 1492 for 'pppoe0'
    14/5/2015 -- 21:44:52 - <info>-- Set snaplen to 1508 for 'pppoe0'

    Now I get he following:

    14/5/2015 -- 21:44:52 - <error>-- [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
    14/5/2015 – 21:44:52 - <error>-- [ERRCODE: SC_ERR_POOL_INIT(66)] - pool grow failed

    What can this mean?

    Thx for all your support</error></error></info></info></info>

    Don't know for sure, but offhand, based on the error code text, I would say it's some kind of memory allocation error.

    Bill



  • See https://forum.pfsense.org/index.php?topic=93926.msg521328#msg521328

    Increasing the 'Stream Memory Cap' value or decreasing the number of Preallocated sessions will solve it.

    André



  • I change the default 32mb stream memory cap to a little bit more and that’s resolved the problem.



  • Works perfect now had to put little over 64mb to make it work
    Thx all for the fast responses. Have a nice weekend!



  • where do you change this value on version 3.0_7 available on pfsense 2.3_1?



  • Same place as it always was.

    Interface -> <if>Flow/Stream

    Subheader "Stream Engine Settings"

    /AV</if>