Suricata not catching packets on PPPoE WAN

Started by guest16807, November 23, 2017, 10:31:20 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 23, 2017, 10:31:20 PM
Hi.
I've setup fresh OPNSense box in Proxmox enviroment.

First problem (in the test phase) was the virtio net driver - it was freezing whole virtual machine when enabling IPS in services. Quicly found on this forum that virtio isn't the best option for Suricata and switched to E1000 driver.

When I went to "production" I've passed thru Intel 82576 as WAN port and set PPPoE creditencials.
Everything works great except Suricata. It seems, that Suricata can't catch packets on PPPoE interface.
In suricata.log I see something like this (and nothing else):
Code Select
23/11/2017 -- 21:23:21 - <Notice> - Signal Received.  Stopping engine.
23/11/2017 -- 21:23:21 - <Notice> - Stats for 'pppoe1':  pkts: 0, drop: 0 (nan%), invalid chksum: 0
23/11/2017 -- 21:23:21 - <Notice> - Stats for 'pppoe1+':  pkts: 0, drop: 0 (nan%), invalid chksum: 0
23/11/2017 -- 21:25:04 - <Notice> - This is Suricata version 4.0.1 RELEASE
23/11/2017 -- 21:25:04 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started.
I've found old thread in legacy subforum with familiar issue but without any solution (but that was v17.1 with 3.x Suricata installation).

Is there any chance to use IPS on PPPoE WAN interface?


November 28, 2017, 02:15:32 PM #1
Same behavior on a Qotom-Q355 appliance using Intel I211-AT (igb2 driver).
Would this be a hardware limitation or just the nature of PPPoE?
November 30, 2017, 03:26:24 PM #2
This is a known limitation of the IPS mode, but not IDS. We suspect somewhere in the FreeBSD kernel:

https://redmine.openinfosecfoundation.org/issues/1925

We've been through some debugging sessions despite the lack of feedback on that particular ticket, but have found no conclusive answer as to if and how it could be fixed.


Cheers,
Franco
November 30, 2017, 04:40:13 PM #3
@Franco, this ticket is meanwhile closed. Will this ever be functional? Would be crucial to know if there is any IDS/IPS possible with PPPoE in the future. No way to setup Snort on OPNsense, I guess?
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
November 30, 2017, 08:20:32 PM #4
It's a limitation of netmap,  neither suricata or snort (by my knowledge) are capable of decoding the ppp packets it will receive on the physical interface. IDS mode captures the packets on the virtual interface (after decapsulation).

If you're not running any services on the network interface which is encapsulated, you could consider enabling ips on your internal interfaces (which also matches most of the rules better, because of nat reasons).
A solution with divert sockets might work in theory, but is pretty cpu intensive.

Cheers,

Ad
Print
Go Up Pages1
User actions