Suricata V3.0 Inline Mode
-
I wish to express sincere thanks to Bill Meeks for his efforts with Suricata V3.0 and the developers with the new version of Pfsense 2.3.
I do need some help however with the new Suricata V3.0. I have a Pfsense 2.3 with an Intel server network card that supports the Inline Mode but have not been understand how to configure it in the new Inline Mode. I have been using Emerging Threats ET Pro rule set in the legacy mode without any issues.The steps to configure the appropriate files are not clear. It would be of great assistance if someone could show a working example and screen pictures. If can get a small example working I am sure the rest would follow.
Thanks for your consideration.
G. Howard Krauss
I plan to update the docs on the pfSense Wiki eventually, but in the meantime here is a quick how-to.
Edit: changed "disablesid" to "dropsid" in the text below. It should have been "dropsid" … :-[.
First, make sure you disable some hardware offloading features as described and illustrated in this post: [url=https://forum.pfsense.org/index.php?topic=108068.msg601891#msg601891]https://forum.pfsense.org/index.php?topic=108068.msg601891#msg601891. Disabling hardware offloading of checksum calculation and segmentation is very important!
1. Go to the Suricata interface you wish to run with inline IPS mode by clicking Services > Suricata from the menu and then clicking to edit the desired interface.
2. Scroll down to the Alert and Block Settings section, click to check the Block Offenders checkbox, then change the IPS Mode drop-down to Inline Mode. Save the change by clicking Save at the bottom of the page.
3. Go to the CATEGORIES tab and select the desired rule set categories.
4. Now the tricky part, and there are no easy pat answers from here on down. Go to the SID MGMT tab and click the checkbox to enable automatic SID management.
5. Click the pencil icon beside the dropsid-sample.conf file to open it in the on-screen editor. There are examples in the file of how to use it. If you just want to duplicate the old legacy mode behavior where any alert caused a block (or in the new IPS Inline mode, that will be a drop), then highlight everything in the file and delete it. Now type the names of all the rule categories you enabled on the CATEGORIES tab on a line. Separate each name with a comma. I've included an example at the end of these instruction steps.
6. When finished, go up to the filename box and change the name to just dropsid.conf and then save the new file. If you don't change the name in the filename box, you will overwrite the sample file. No great harm, but then you lose the examples for future reference … ;).
7. Now go down to the bottom of the SID MGMT tab and over on the right-hand side change the Drop SID File drop-down so that is shows the dropsid.conf file you modified and saved in step 5 above. Click Save to save all the changes.
8. Now go back to the INTERFACES tab and restart Suricata on the interface (or just start it if not already running) by clicking the appropriate icon.
That's it. Suricata will now run with inline IPS on that interface. Dropped traffic will be shown highlighted on the ALERTS tab. In Inline IPS mode, the BLOCKS tab will not show anything for an inline IPS interface. The BLOCKS tab only shows IP addresses blocked when in Legacy Mode.
Example of setting ET-Pro categories to DROP
# The categories shown below will have all rules changed from "alert" to "drop" etpro-dns,etpro-botcc,etpro-malware,etpro-tor,etpro-trojanHere is an explanation for the sample file. Because I gave it category names, the logic will change all the SIDs in each matching category from "alert" to "drop". Note that partial names will also match, so "etpro-botcc" will match both "etpro-botcc" and the new "etpro-botcc.portgrouped" categories. If I wanted to alter just the "etpro-botcc" category, then I would use the more specific "etpro-botcc.rules" to match the specific name. Be sure when giving a category name to enter exactly like it is shown on the CATEGORIES tab (you can omit the ".rules" extension, but you must include the custom prefix). The Suricata package prefixes the actual category names from the vendor rule sets with a tag to indicate which rule vendor sources the file ("etpro-" for Emerging Threats Pro, "emerging-" for the free Emerging Threats rules, and "snort_" for the Snort VRT rules).
I could also use individual GID:SID numbers on a different line in the dropsid.conf file, and those would get altered from "alert" to "drop". Additional options are also available. Note there is currently a typo in the PCRE example, though. Do not include the quote marks shown in the example file when using a PCRE (Perl compatible regular expression) to select SIDs for modification.
Ideally, you wouldn't want every rule to "drop" traffic. You probably want to leave many rules at their default "alert" action so you get a notice of the traffic, but it still flows. Generally the "drop" action is reserved for more serious threats. What constitutes a "serious" threat can be network specific, and that's where a good IDS/IPS administrator earns their pay … :) ... by knowing how to make that judgment call.
Bill
-
Bill:
Thanks very much for the assistance! I have the Suricata V3.0 Inline now operational. The example syntax was very helpful. One issue I did note. The drop rules that show in the alert section (tab) are not show in red. I checked the log and they were indeed blocked.
Best Regards,
Howard
-
Bill:
Thanks very much for the assistance! I have the Suricata V3.0 Inline now operational. The example syntax was very helpful. One issue I did note. The drop rules that show in the alert section (tab) are not show in red. I checked the log and they were indeed blocked.
Best Regards,
Howard
Do you have more than one interface configured? If so, remember to select the correct interface when viewing the alerts. The dropped traffic should be showing in red and the text of the alert in the alerts.log file will start with "drop". Were you looking in the alerts.log when you saw the dropped traffic?
Bill
-
Bill:
Suricata V3.0 is now working fine. I now see the blocked alerts showing in red. I am going to just let it run with this snap-shot of Pfsense 2.3 and see how it working over a period of time.
Best Regards,
Howard
-
Bill:
Suricata V3.0 is now working fine. I now see the blocked alerts showing in red. I am going to just let it run with this snap-shot of Pfsense 2.3 and see how it working over a period of time.
Best Regards,
Howard
Great! Glad everything is working. There are still a few things I plan on improving.
Bill
-
Bill:
An update with respect to a strange issue. I am using the traffic shaper with CODEL to minimize buffer bloat. It worked fine with Pfsense2.2.6. However Pfsense 2.3 and Suricata Inline seem to be a problem. First, If I removed the traffic shaper when running Suricata V3.0 Inline the box locks up and will not pass traffic. I looked at the error messages and they were related to Netmap. I rebooted the box and all was well. I then reconfigured the traffic shaper on the wan and lan with CODEL. A test for buffer bloat showed poor results, i.e. buffer bloat. Then I rebooted the box and it is now working ok with the traffic shaper. I seem that Netmap and the traffic shaper interact. I have it working now be it was strange. Have you seen this before?
Regards,
Howard
-
Bill:
Further testing with the traffic shaper. It works with Suricata in the Legacy Mode but does not in the Inline Mode. Must be some interaction with Netmap ???
Regards,
Howard
-
Theres one test I would do also, is to run suricata inline with absolutely no rules, disable all categorie/rules.
F.
-
I removed all the rules from Suricata V3.0 running in the Inline Mode and the traffic shaper still does not function correctly. There must be some interaction between Suricata Inline Mode and the Pfsense 2.3 traffic shaper with CODEL used for bufferbloat reduction.
-
Further information:
When I change back from Inline Mode to Legacy Mode the box must be reboot for the traffic shaper to work correctly.
-
I see other issues posted over in the 2.3-BETA sub-forum with the Traffic Shaper. It is likely the shaper and Netmap do not currently play well together. I will have to refer that one to the pfSense developers. Would you mind opening a Redmine bug report for this issue? Just explain what happens with Inline mode and the traffic shaper.
Bill
-
Bill:
I just wrote a short note for redmine bugtracker report describing the problem.
Best Regards,
Howard
-
I see other issues posted over in the 2.3-BETA sub-forum with the Traffic Shaper. It is likely the shaper and Netmap do not currently play well together. I will have to refer that one to the pfSense developers. Would you mind opening a Redmine bug report for this issue? Just explain what happens with Inline mode and the traffic shaper.
Bill
This is now the show stopper for me to use Suricata v3 inline mode, one of the main reason to upgrade to pfSense 2.3. Any timeline to fix it? I'm waiting it to be fixed to upgrade to pfSense 2.3
-
This is now the show stopper for me to use Suricata v3 inline mode, one of the main reason to upgrade to pfSense 2.3. Any timeline to fix it? I'm waiting it to be fixed to upgrade to pfSense 2.3
I see the bug report has been assigned to one of the pfSense kernel developers. Here is the redmine link: https://redmine.pfsense.org/issues/6023
Bill
-
I am trying inline now. I think Netmap is supported as I see the interfaces using the emX driver.
However on following the above instructions I have full loss of internet connectivity.
-
Ok the likely problem is Netmap.
-
Ok the likely problem is Netmap.
Yes, Netmap and some NIC drivers are misbehaving badly in the kernel at the moment. There are threads in the INSTALL and UPGRADES forum and elsewhere about it. It seems to depend on your exact NIC as to whether or not you have issues. Some folks immediately lose connectivity, for others is takes hours or a few days, and some seem to have no problems.
I believe the pfSense developer team is looking into the Netmap issues. It is probably not a pfSense thing and is instead either an upstream bug in Netmap or FreeBSD.
Bill
-
I look forward to the issue fixed and enableing inline mode in my production environment.
Thanks pfSense developer team and Bill.
-
Was this issue fixed in 2.3.1?
-
or 2.3.2?
