Suricata true inline IPS mode coming with pfSense 2.3 – here is a preview
-
Last question, it appears that Snort is still not capable of inline mode (with pfSense), true?
-
Good day.
PFsenes 2.3.4-RELEASE-p1 (amd64) FreeBSD 10.3-RELEASE-p19
I have a I350-T4 network card installed.
As I understand the drivers for this network card do not support a Netmap (At least in the current release PFsense), because when switch to the inline mode, I stop showing alerts?!
Sorry for my bad english. -
Last question, it appears that Snort is still not capable of inline mode (with pfSense), true?
Correct, Snort cannot do inline IPS mode on pfSense. Snort implements Netmap, but only through its DAQ module. And the way DAQ implements it is quite different from the way Suricata does. Snort's DAQ requires you to actually dedicate two real network interfaces to the Netmap tunnel. One is "IN" and the other is "OUT". The DAQ takes incoming traffic on the IN and sends it to Snort. Snort either drops it if bad, or sends it back to DAQ if OK. DAQ then sends what it gets from Snort out the OUT interface. It is meant to really run as a completely separate appliance sitting in series with the protected networks. You can't route any traffic between the interfaces either. They are just two ends of the same pipe in a manner of speaking.
Suricata implements Netmap natively (without needing DAQ), and does so in a manner more conducive to IPS mode operation within a firewall. You don't have to use two real interfaces. You specify the real interface where you want Netmap to operate, and then to connect to the OS kernel stack you specify the same interface name but with a plus ("+") at the end. Suricata's Netmap can insert itself between the kernel stack and the NIC driver. Snort's DAQ can't do this.
Bill
-
Good day.
PFsenes 2.3.4-RELEASE-p1 (amd64) FreeBSD 10.3-RELEASE-p19
I have a I350-T4 network card installed.
As I understand the drivers for this network card do not support a Netmap (At least in the current release PFsense), because when switch to the inline mode, I stop showing alerts?!
Sorry for my bad english.Probably true. I don't have a list of exactly which drivers fully support Netmap. I know there are several out there that work great, and some that work in a buggy fashion, and then some that don't work at all. If you have trouble with Inline IPS mode in Suricata with your NIC hardware, you either have to change the NIC to one that is supported or switch to Legacy Mode blocking and abandon Inline IPS.
You could try posting an open question to Suricata users here on the forum to see who is successfully using Inline IPS mode and with which type of network card.
Bill
-
Well, thanks for the answer!
I would like to know whether the latest drivers for my network card are in PFSense, maybe they can be updated or can be upgraded in version 2.4 with another core of the FreeBSD?! -
Well, thanks for the answer!
I would like to know whether the latest drivers for my network card are in PFSense, maybe they can be updated or can be upgraded in version 2.4 with another core of the FreeBSD?!pfSense uses whatever is in FreeBSD upstream. They do not create their own network drivers. pfSense 2.3.4 is based on FreeBSD 10.3-RELEASE. The pfSense 2.4-DEV tree is based on FreeBSD 11, so it is likely to contain more up-to-date network drivers. Which pfSense version are you running? You could give 2.4-DEV a try if you want to. Perhaps it has drivers for your hardware that support Netmap.
Bill
-
Good day.
Maybe you guys can help or give some advises.
Have NetXtreme BCM5720 Gigabit Ethernet PCIe, and inline mode works. But from time-to-time it starts to drop traffic on either internal or external interface.
In logs i see a lot of messages like this:
728.051395 [2860] netmap_transmit full hwcur 793 hwtail 680 qlen 112 len 74 m 0xfffff8000d78e000
Rebooting machine or bringing interface down then up usually helps. Today first time it came up on itself, after dropping traffic for about an hour or so.
Can it mean NIC not fully support netmap? Or is it just some miss-configuration from my side? Would be glad for any help.
-
Don't use inline mode.
-
Good day.
Maybe you guys can help or give some advises.
Have NetXtreme BCM5720 Gigabit Ethernet PCIe, and inline mode works. But from time-to-time it starts to drop traffic on either internal or external interface.
In logs i see a lot of messages like this:
728.051395 [2860] netmap_transmit full hwcur 793 hwtail 680 qlen 112 len 74 m 0xfffff8000d78e000
Rebooting machine or bringing interface down then up usually helps. Today first time it came up on itself, after dropping traffic for about an hour or so.
Can it mean NIC not fully support netmap? Or is it just some miss-configuration from my side? Would be glad for any help.
Could be a buggy Netmap implementation by the driver, but you might try fiddling around with buffers. I'm no expert, but others have posted here about various mbuf settings that can be adjusted for certain NICs. These have helped with some Netmap and other NIC driver problems.
Bill
-
Well, replacing NICs on the server to ones, that officially support Netmap and configuring them according to recommendations in https://doc.pfsense.org/index.php/Tuning_and_Troubleshooting_Network_Cards seems to fix the issue. Have not observer such problem in last 30 days.
Thank you for the help bmeeks.
-
I have followed all the recommendations in the tuning guide and I still get a ton of bad pkt errors. Using an intel i350. Also tried Intel i219.
Is anyone else using the i350 successfully?