VLAN Capture Issues?

[spetrillo]

Hello all,

I have enabled Suricata on the physical interfaces that support my VLANs. I am getting the following msg in the Suricata log:

2021-08-03T11:01:05   suricata[28450]   [100282] <Warning> -- [ERRCODE: SC_ERR_NIC_OFFLOADING(284)] - Using igb2_vlan20 with TSO, TOE or LRO activated can lead to capture problems. Run: ifconfig igb2_vlan20 -tso -toe -lro

My interfaces are configured in the attachment. I have Intel EM0 and IGB0-IGB3 physical NICs. I was under the impression the Intel NICs are better at dealing with Suricata and VLANs?

Thanks,
Steve

[tuto2]

Hi,

Are you running Suricata in IPS mode? If so - disable everything, netmap requires all forms of offloading to be disabled (especially VLAN hardware tagging/filtering in the case of VLANs).

Generally, all forms of offloading should be disabled for Suricata to function properly. The Suricata documentation states what kind of offloading is acceptable depending on the mode of operation: https://suricata.readthedocs.io/en/suricata-5.0.2/performance/packet-capture.html

My interfaces are configured in the attachment. I have Intel EM0 and IGB0-IGB3 physical NICs. I was under the impression the Intel NICs are better at dealing with Suricata and VLANs?

Intel NICs (or any NIC for that matter) have no notion of anything going on higher up in the stack. If Suricata states a form of offloading should be disabled, it should simply be disabled.

Cheers,
Stephan

[spetrillo]

I disabled all the offloading and the vlan hardware filtering. I am not getting those messages any longer but a couple more curious things:

1) I have set Suricata to my actual hardware interfaces in the interfaces section. Now I am not getting any visibility into which vlan is having an alert, even though the vlan interface shows in the alert. Do I enable both the actual hardware interfaces and the vlans?

2) I am not running IPS at this time. I would assume that if I enable IPS my rules better be spot on or I am going to start blocking good traffic correct?

3) I am now seeing this in the log: 2021-08-05T10:27:15   suricata[82213]   [100427] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.Netwire.HB' is checked but not set. Checked in 2018283 and 0 other sigs. Am I missing a Suricata option for this?

[tuto2]

1) I have set Suricata to my actual hardware interfaces in the interfaces section. Now I am not getting any visibility into which vlan is having an alert, even though the vlan interface shows in the alert. Do I enable both the actual hardware interfaces and the vlans?

I think this is part of a more general discussion, I think some people who prefer more fine-grained control will create an instance of Suricata per vlan. Multi-tenancy in Suricata may also provide an answer for you: https://suricata.readthedocs.io/en/suricata-6.0.0/configuration/multi-tenant.html - though this isn't supported in OPNsense and will require you to configure custom configuration files. You can also set Suricata only on the parent interface; make sure you enable promiscuous mode in this case.

2) I am not running IPS at this time. I would assume that if I enable IPS my rules better be spot on or I am going to start blocking good traffic correct?

Correct, though this depends on the action for a rule being "drop", see https://docs.opnsense.org/manual/ips.html#general-setup

3) I am now seeing this in the log: 2021-08-05T10:27:15   suricata[82213]   [100427] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.Netwire.HB' is checked but not set. Checked in 2018283 and 0 other sigs. Am I missing a Suricata option for this?

I don't have a direct answer for this, other people also noticed this and apparently this is not an issue:
https://forum.opnsense.org/index.php?topic=14997.0
https://github.com/StamusNetworks/SELKS/issues/171