Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - Nibras Al-Afoun

Pages1
#1
Intrusion Detection and Prevention / Re: Using Rulesets in Suricata IPS
July 23, 2025, 09:53:11 AM
I'm currently deploying OPNsense in transparent bridge mode between a Mikrotik router (as trunk port) and a Palo Alto firewall (L3), with Suricata enabled for IDS/IPS. Everything works fine in IDS mode, but I encounter major issues when enabling IPS mode.
________________________________________System Configuration:
•   OPNsense Version: [insert version]
•   Suricata: Latest package from UI
•   Mode: Transparent bridge (bridge0) inspecting trunked VLANs
•   Interfaces: Only bridge0 selected for Suricata
•   Pattern Matcher: Hyperscan (when supported)
•   BPF Filters: [e.g., not vlan 30, if applied]
•   Hardware: [e.g., 4 cores, 8GB RAM, Intel NICs]
•   Filesystem: ZFS (ARC limited via vfs.zfs.arc_max loader tunable)
________________________________________ What Works:
•   IDS mode runs normally, logs alerts, no packet loss
•   Netmap bindings pass correctly
•   Bridge is transparent and VLANs reach the firewall
________________________________________Problems in IPS Mode:
1.   All outbound traffic is blocked when IPS is enabled
Even with all rules set to Alert, traffic fails to pass.
2.   Netmap startup errors before ARC tuning
makefile
CopyEdit
netmap:bridge0/R failed: Cannot allocate memory
3.   Flowbit dependency warnings
Example:
csharp
CopyEdit
flowbit 'ET.BunnyLoader.Checkin' is checked but not set
4.   Suricata rule parsing errors
e.g.:
scss
CopyEdit
error parsing signature ... line 390 ... content:"|5C 5C 0A 5C 5C 0A ..."
5.   Queue exhaustion runtime errors
csharp
CopyEdit
Just ran out of space in the queue. Please file a bug report on this
6.   Suricata starts but silently drops traffic
With no rules set to drop, IPS mode still causes loss of connectivity to external sites.
#2
General Discussion / IPS Block the Bridge Traffic
July 21, 2025, 10:57:23 AM
I'm currently deploying OPNsense in transparent bridge mode between a Mikrotik router (as trunk port) and a Palo Alto firewall (L3), with Suricata enabled for IDS/IPS. Everything works fine in IDS mode, but I encounter major issues when enabling IPS mode.

System Configuration

·         Device model [PowerEdge R750]

·         OPNsense Version: [OPNsense 25.1.11-amd64]

·         FreeBSD 14.2-RELEASE-p4

·         OpenSSL 3.0.17

·         Suricata: Latest package from UI

·         Mode: Transparent bridge (bridge0) inspecting trunked VLANs

·         Interfaces: Only bridge0 selected for Suricata

·         Pattern Matcher: Hyperscan

·         Hardware: [e.g., 80cores, 2048 GB RAM, Broadcom NICs*8]

Intel(R) Xeon(R) Platinum 8380 CPU @ 2.30GHz (80 cores, 160 threads)

Broadcom Gigabit Ethernet BCM5720

Broadcom Adv. Dual 25Gb Ethernet

Broadcom Adv. Dual 25Gb Ethernet

Broadcom Adv. Dual 25Gb Ethernet

·         Filesystem: ZFS (ARC limited via vfs.zfs.arc_max loader tunable)

What Works

·         IDS mode runs normally, logs alerts, no packet loss

·         Netmap bindings pass correctly

·         Bridge is transparent and VLANs reach the firewall

Problems in IPS Mode

1.      All outbound traffic is blocked when IPS is enabled, even with all rules set to Alert.

2.      Netmap startup errors before ARC tuning: netmap:bridge0/R failed: Cannot allocate memory

3.      Flowbit dependency warnings, e.g., flowbit 'ET.BunnyLoader.Checkin' is checked but not set

4.      Suricata rule parsing errors, e.g., content:"|5C 5C 0A 5C 5C 0A ...

5.      Queue exhaustion runtime errors: Just ran out of space in the queue. Please file a bug report on this

6.      Suricata starts but silently drops traffic, even with no DROP rules applied

What I've Tried So Far

·         Limited ARC cache via loader tunable (vfs.zfs.arc_max=1073741824)

·         Disabled all non-critical rule categories (e.g., shellcode, voip, inappropriate)

·         Disable Firewall Filtering caused

·         Deny by the default rules

·         Forced all rules to Alert via policy with priority 1

·         Reduced dev.netmap.buf_num to 65536

·         Confirmed Suricata binds only to bridge0 in IPS mode

·         Disabled ClamAV, Zenarmor, and background services

·         Installed swap file to ensure system has headroom

·         Used Hyperscan as pattern matcher where supported

Assistance Requested

Is there a known bug or limitation when using Suricata IPS in bridge mode with VLAN trunks on OPNsense?

Are there specific driver/kernel or netmap constraints I should consider?

How can I debug or trace netmap drops in more detail?

Can you confirm whether this is a Suricata limitation, a netmap issue, or policy misbehavior?
#3
Intrusion Detection and Prevention / IPS Block the Bridge Traffic
July 21, 2025, 10:43:08 AM
I'm currently deploying OPNsense in transparent bridge mode between a Mikrotik router (as trunk port) and a Palo Alto firewall (L3), with Suricata enabled for IDS/IPS. Everything works fine in IDS mode, but I encounter major issues when enabling IPS mode.

System Configuration

·         Device model [PowerEdge R750]

·         OPNsense Version: [OPNsense 25.1.11-amd64]

·         FreeBSD 14.2-RELEASE-p4

·         OpenSSL 3.0.17

·         Suricata: Latest package from UI

·         Mode: Transparent bridge (bridge0) inspecting trunked VLANs

·         Interfaces: Only bridge0 selected for Suricata

·         Pattern Matcher: Hyperscan

·         Hardware: [e.g., 80cores, 2048 GB RAM, Broadcom NICs*8]

Intel(R) Xeon(R) Platinum 8380 CPU @ 2.30GHz (80 cores, 160 threads)

Broadcom Gigabit Ethernet BCM5720

Broadcom Adv. Dual 25Gb Ethernet

Broadcom Adv. Dual 25Gb Ethernet

Broadcom Adv. Dual 25Gb Ethernet

·         Filesystem: ZFS (ARC limited via vfs.zfs.arc_max loader tunable)

What Works

·         IDS mode runs normally, logs alerts, no packet loss

·         Netmap bindings pass correctly

·         Bridge is transparent and VLANs reach the firewall

Problems in IPS Mode

1.      All outbound traffic is blocked when IPS is enabled, even with all rules set to Alert.

2.      Netmap startup errors before ARC tuning: netmap:bridge0/R failed: Cannot allocate memory

3.      Flowbit dependency warnings, e.g., flowbit 'ET.BunnyLoader.Checkin' is checked but not set

4.      Suricata rule parsing errors, e.g., content:"|5C 5C 0A 5C 5C 0A ...

5.      Queue exhaustion runtime errors: Just ran out of space in the queue. Please file a bug report on this

6.      Suricata starts but silently drops traffic, even with no DROP rules applied

What I've Tried So Far

·         Limited ARC cache via loader tunable (vfs.zfs.arc_max=1073741824)

·         Disabled all non-critical rule categories (e.g., shellcode, voip, inappropriate)

·         Disable Firewall Filtering caused

·         Deny by the default rules

·         Forced all rules to Alert via policy with priority 1

·         Reduced dev.netmap.buf_num to 65536

·         Confirmed Suricata binds only to bridge0 in IPS mode

·         Disabled ClamAV, Zenarmor, and background services

·         Installed swap file to ensure system has headroom

·         Used Hyperscan as pattern matcher where supported

Assistance Requested

Is there a known bug or limitation when using Suricata IPS in bridge mode with VLAN trunks on OPNsense?

Are there specific driver/kernel or netmap constraints I should consider?

How can I debug or trace netmap drops in more detail?

Can you confirm whether this is a Suricata limitation, a netmap issue, or policy misbehavior?
Pages1