Suricata v3.0 with Inline IPS Mode via Netmap is now available for pfSense 2.3



  • The new Suricata 3.0 package with Netmap inline IPS mode is now available for use with pfSense 2.3-BETA.  The package contains the latest Suricata 3.0 binary.  See this preview thread for general information about the new mode and some of the caveats – https://forum.pfsense.org/index.php?topic=108010.0.

    In order to use the new inline IPS mode you must have a network card driver that supports Netmap on FreeBSD.  Several of the popular drivers are currently supported.  Here is a link originally provided by user @mais_um in the pfSense 2.3-BETA sub-forum:  https://www.freebsd.org/cgi/man.cgi?query=netmap&apropos=0&sektion=4&manpath=FreeBSD+10.2-RELEASE&arch=default&format=html#SUPPORTED_DEVICES.

    Once you verify your firewall contains a supported NIC driver on the interface you want to operate with inline IPS mode, then you need to make a change under System > Advanced > Networking and check the boxes to disable the following:

    • Hardware Checksum Offloading

    • Hardware TCP Segmentation Offloading

    • Hardware Large Receive Offloading

    A screenshot of the page showing the required settings is attached to this post.  You must make these changes to successfully run the new Netmap IPS mode!  For additional instructions and screenshots, refer to the Preview Thread here:  https://forum.pfsense.org/index.php?topic=108010.0




  • By the way, in looking through several of the tabs later after posting the new package, I found some typos in places.  I will get those fixed up.  One place is in the help text for the Enable checkbox on the SID MGMT tab.  It's easy to make errors like that when doing Bootstrap conversion on lots and lots of PHP pages and you get overzealous with copy-paste …  :-[.

    I also plan to tidy up the icons in a few spots.  Please report anything else you find that needs correcting in the package in this thread.

    [color=maroon]Note: using the new dropsid.conf file available on the SID MGMT tab is the best and easiest way to modify your rules to use the new DROP action required for inline IPS operation.  If you just want to turn whole categories to DROP from ALERT, then simply list the category names (as shown on the CATEGORIES tab) separated by commas on a line in dropsid.conf like so:

    
    # Change all rules in these Categories to DROP
    emerging-scan,emerging-botcc,emerging-trojan
    
    

    The above are just meant as examples and are not a recommendation for which rule categories to change to drop!  The dropsid.conf file accepts the same expressions and syntax as the enablesid.conf and disablesid.conf files.  Look in the provided sample files for examples (particularly the enablesid and disablesid files).

    Thanks,
    Bill



  • I found several other errors this past Friday in the new Suricata GUI code.  They result in some parts of SID MGMT working incorrectly.  There are also problems with saving changes to a few things on the FLOW/STREAM and APP PARSERS tab.  I have a comprehensive fix almost ready to post that addresses these and a few other cosmetic issues.

    Sorry for the bugs, but converting a package to Bootstrap is a major change.  In the rush to completion we missed some things in testing.

    Bill


Log in to reply