Text only | Text with Images

OPNsense Forum

English Forums => 26.1 Series => Topic started by: jfou1987 on March 14, 2026, 07:51:39 PM

Title: Big files transfer failed with IPS (Suricata)
Post by: jfou1987 on March 14, 2026, 07:51:39 PM
Hello,

Sorry if this issue was already discussed, but i didn't found any relative topics.
I activate IPS 2 weeks ago because i discovered some MAP scan on my OPNWAF, and decide to block them.

From them i discovered an issue. Now i'm sure it's relative to IPS, because when i disable it, this issue gone away.

Last week, i started to download a 2,9 Gb video file with SwissTransfer in Chrome (HTTPS) and the transfer stay at 99,9%. Never complete.
I suspected a file issue because i downloaded an other video file minutes before, but only 10Mo.

Yesterday for the second time, an automated FTP download script failed at the end of the download.
I can reproduce the error with the same file in FileZila, on an other computer, but behind the same OPNsense.

After doing some search i can now affirm that IPS is responsible for that. My discoveries told me there is a TCP time session/file size relative to the IPS paquet analyze.

I tried to change the detection profile to high (recommended by IA)
I only monitor WAN interfaces, no Promiscuous mode, i disable all hardware offloading.
Now i cannot find a workaround.

Do you have any idea for me ?
Title: Re: Big files transfer failed with IPS (Suricata)
Post by: meyergru on March 14, 2026, 08:06:22 PM
Patient: "Doctor, it always hurts when I do this..."
Doctor: "Then do not do it."

Any mechanism that is designed to block certain things can also block other things that you did not want it to.  That is why there is a recommendation to start with IDS, not IPS mode.

You can inspect your Suricata logs to find the culprit and maybe disable the offending rule when it pops up. There are plenty to choose from....
Title: Re: Big files transfer failed with IPS (Suricata)
Post by: jfou1987 on March 14, 2026, 08:38:52 PM
Hello, thanks for reply. Of course, i started with IDS for few month, only some Zmap alerts, that's why i enable IPS.
There is no alert regarding this particular issue. That's why, it's strange.

The AI told me it need a bypass rule for large files or to adapt Stream Reassembly or depth or memcap.
And also told me this is relative to the engine of Suricata, not to a rule.
But as far as i know, editing the yaml file is not persistent to a reboot.

Do you have any idea ?
Title: Re: Big files transfer failed with IPS (Suricata)
Post by: meyergru on March 14, 2026, 10:38:00 PM
No, as personally I do not believe in such tools and I do not use them. Maybe you can change the pattern matcher or the capture mode.

For starters, it seems to be the wrong approach to monitor the WAN interface (https://docs.opnsense.org/manual/ips.html#choosing-an-interface).
Text only | Text with Images