Suricata not catching packets on PPPoE WAN

[guest16807]

Hi.
I've setup fresh OPNSense box in Proxmox enviroment.

First problem (in the test phase) was the virtio net driver - it was freezing whole virtual machine when enabling IPS in services. Quicly found on this forum that virtio isn't the best option for Suricata and switched to E1000 driver.

When I went to "production" I've passed thru Intel 82576 as WAN port and set PPPoE creditencials.
Everything works great except Suricata. It seems, that Suricata can't catch packets on PPPoE interface.
In suricata.log I see something like this (and nothing else):

Code: [Select]

23/11/2017 -- 21:23:21 - <Notice> - Signal Received.  Stopping engine.
23/11/2017 -- 21:23:21 - <Notice> - Stats for 'pppoe1':  pkts: 0, drop: 0 (nan%), invalid chksum: 0
23/11/2017 -- 21:23:21 - <Notice> - Stats for 'pppoe1+':  pkts: 0, drop: 0 (nan%), invalid chksum: 0
23/11/2017 -- 21:25:04 - <Notice> - This is Suricata version 4.0.1 RELEASE
23/11/2017 -- 21:25:04 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started.I've found old thread in legacy subforum with familiar issue but without any solution (but that was v17.1 with 3.x Suricata installation).

Is there any chance to use IPS on PPPoE WAN interface?

[nspritz]

Same behavior on a Qotom-Q355 appliance using Intel I211-AT (igb2 driver).
Would this be a hardware limitation or just the nature of PPPoE?

[franco]

This is a known limitation of the IPS mode, but not IDS. We suspect somewhere in the FreeBSD kernel:

https://redmine.openinfosecfoundation.org/issues/1925

We've been through some debugging sessions despite the lack of feedback on that particular ticket, but have found no conclusive answer as to if and how it could be fixed.


Cheers,
Franco

[chemlud]

@Franco, this ticket is meanwhile closed. Will this ever be functional? Would be crucial to know if there is any IDS/IPS possible with PPPoE in the future. No way to setup Snort on OPNsense, I guess?

[AdSchellevis]

It's a limitation of netmap,  neither suricata or snort (by my knowledge) are capable of decoding the ppp packets it will receive on the physical interface. IDS mode captures the packets on the virtual interface (after decapsulation).

If you're not running any services on the network interface which is encapsulated, you could consider enabling ips on your internal interfaces (which also matches most of the rules better, because of nat reasons).
A solution with divert sockets might work in theory, but is pretty cpu intensive.

Cheers,

Ad