pfSense Gold Subscription

Author Topic: Suricata inline mode occasionally drops all traffic for interface under load  (Read 315 times)

0 Members and 1 Guest are viewing this topic.

Offline alsteblieft

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Here's the suricata log, which doesn't seem to contain any issues.
Code: [Select]

3/1/2018 -- 12:14:23 - <Notice> -- This is Suricata version 4.0.1 RELEASE
3/1/2018 -- 12:14:23 - <Info> -- CPUs/cores online: 4
3/1/2018 -- 12:14:23 - <Info> -- Netmap: Setting IPS mode
3/1/2018 -- 12:14:23 - <Info> -- HTTP memcap: 67108864
3/1/2018 -- 12:14:23 - <Notice> -- using flow hash instead of active packets
3/1/2018 -- 12:14:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
3/1/2018 -- 12:14:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection"; flow:to_server,established; dsize:267<>276; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D 0A|"; fast_pattern:only; http_header; urilen:159; pcre:"/\x2f[A-F0-9]{158}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/; classtype:trojan-activity; sid:25675; rev:7;)" from file /usr/local/etc/suricata/suricata_58484_em0/rules/suricata.rules at line 70
3/1/2018 -- 12:14:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
3/1/2018 -- 12:14:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:1;)" from file /usr/local/etc/suricata/suricata_58484_em0/rules/suricata.rules at line 90
3/1/2018 -- 12:14:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
3/1/2018 -- 12:14:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Bancos fake JPG encrypted config file download"; flow:to_server,established; content:".com.br|0D 0A 0D 0A|"; fast_pattern:only; content:"/imagens/"; depth:9; http_uri; content:".jpg"; distance:0; http_uri; pcre:"/\.jpg\x20HTTP\/1\.[01]\r\nUser\x2dAgent\x3a\x20[a-z]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\.br\r\n\r\n$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26722; rev:1;)" from file /usr/local/etc/suricata/suricata_58484_em0/rules/suricata.rules at line 114
3/1/2018 -- 12:14:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
3/1/2018 -- 12:14:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32/Autorun.JN variant outbound connection"; flow:to_server,established; dsize:142; urilen:8; content:"/u5.htm"; fast_pattern:only; http_uri; content:"//u5.htm"; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN; reference:url,www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/; classtype:trojan-activity; sid:26966; rev:3;)" from file /usr/local/etc/suricata/suricata_58484_em0/rules/suricata.rules at line 159
3/1/2018 -- 12:14:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
3/1/2018 -- 12:14:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:146; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: checkip.dyndns.org|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28542; rev:1;)" from file /usr/local/etc/suricata/suricata_58484_em0/rules/suricata.rules at line 235
3/1/2018 -- 12:14:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
3/1/2018 -- 12:14:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:139; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: www.ask.com|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28543; rev:1;)" from file /usr/local/etc/suricata/suricata_58484_em0/rules/suricata.rules at line 236
3/1/2018 -- 12:14:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
3/1/2018 -- 12:14:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector variant outbound connection"; flow:to_server,established; urilen:9; content:"/load.exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B 20|MSIE|20|"; http_header; content:")|0D 0A|Host: "; distance:0; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/search.php?q=%5C%2Fload%5C.exe%24&type=regexp&start=2013-08-24&end=2013-11-22&max=400; reference:url,www.virustotal.com/en/file/032572ea1f34a060ecac98a8e2899dc0f2a41dff199e879050481ddd3818b4d0/analysis/; classtype:trojan-activity; sid:28807; rev:2;)" from file /usr/local/etc/suricata/suricata_58484_em0/rules/suricata.rules at line 242
3/1/2018 -- 12:14:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
3/1/2018 -- 12:14:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.WEC variant outbound connection"; flow:to_server,established; dsize:69; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0|0D 0A|Host: checkip.dyndns.org|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/164c792247b2822ab1dce8271a9498d3c9172ff21d36feccf83265ded1be8d0b/analysis/; classtype:trojan-activity; sid:29882; rev:2;)" from file /usr/local/etc/suricata/suricata_58484_em0/rules/suricata.rules at line 290
3/1/2018 -- 12:14:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
3/1/2018 -- 12:14:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:"Content-Length: 166"; content:".php HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0|3B| rv:11.0) like Gecko|0D 0A|Host: "; fast_pattern:only; content:"v="; depth:2; http_client_body; content:"&c="; within:7; http_client_body; pcre:"/\x3d\x3d$/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:29895; rev:2;)" from file /usr/local/etc/suricata/suricata_58484_em0/rules/suricata.rules at line 293
3/1/2018 -- 12:14:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
3/1/2018 -- 12:14:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; file_data; dsize:<194; content:"INTERNACIONAL"; depth:13; content:!"Content-Length"; http_header; content:"Transfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32607; rev:1;)" from file /usr/local/etc/suricata/suricata_58484_em0/rules/suricata.rules at line 442
3/1/2018 -- 12:14:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
3/1/2018 -- 12:14:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; file_data; dsize:<194; content:"BRASIL"; depth:6; content:!"Content-Length"; http_header; content:"Transfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32608; rev:1;)" from file /usr/local/etc/suricata/suricata_58484_em0/rules/suricata.rules at line 443
3/1/2018 -- 12:14:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
3/1/2018 -- 12:14:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Agent.BHHK variant outbound connection"; flow:to_server,established; dsize:136; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 6.0)|0D 0A|Host: windowsupdate.microsoft.com|0D 0A|Connection: Close|0D 0A 0D 0A|"; fast_pattern:only; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/cab1fffe7a34b5bb7dab2cacd406cf15628d835ab63502d28df78c2faeaad366/analysis/1421677054/; classtype:trojan-activity; sid:33227; rev:2;)" from file /usr/local/etc/suricata/suricata_58484_em0/rules/suricata.rules at line 474
3/1/2018 -- 12:14:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
3/1/2018 -- 12:14:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FileEncoder IP geolocation checkin attempt"; flow:to_server,established; dsize:214; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1|3B| SV1|3B| .NET4.0C|3B| .NET4.0E|3B| .NET CLR 2.0.50727|3B| .NET CLR 3.0.4506.2152|3B| .NET CLR 3.5.30729)|0D 0A|Host: ip-addr.es|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/17edf82c40df6c7268191def7cbff6e60e78d7388018408800d42581567f78cf/analysis/; classtype:trojan-activity; sid:33449; rev:1;)" from file /usr/local/etc/suricata/suricata_58484_em0/rules/suricata.rules at line 479
3/1/2018 -- 12:14:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
3/1/2018 -- 12:14:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger initial exfiltration attempt"; flow:to_server,established; content:"/gate.php"; fast_pattern:only; content:"pc="; nocase; http_client_body; content:"&admin="; distance:0; nocase; http_client_body; content:"&os="; distance:0; nocase; http_client_body; content:"&hid="; distance:0; nocase; http_client_body; content:"&arc="; distance:0; nocase; http_client_body; content:"User-Agent|3A 20|"; http_header; pcre:"/User-Agent\x3a\x20[A-F0-9]{32}\x0d\x0a/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38562; rev:2;)" from file /usr/local/etc/suricata/suricata_58484_em0/rules/suricata.rules at line 598
3/1/2018 -- 12:14:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_stat_code" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
3/1/2018 -- 12:14:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.GateKeylogger fake 404 response"; flow:to_client,established; file_data; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:">404 Not Found<"; fast_pattern:only; content:" requested URL / was not found "; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38563; rev:1;)" from file /usr/local/etc/suricata/suricata_58484_em0/rules/suricata.rules at line 599
3/1/2018 -- 12:14:32 - <Info> -- 3 rule files processed. 10542 rules successfully loaded, 15 rules failed
3/1/2018 -- 12:14:32 - <Info> -- Threshold config parsed: 6 rule(s) found
3/1/2018 -- 12:14:32 - <Info> -- 10550 signatures processed. 14 are IP-only rules, 4275 are inspecting packet payload, 7491 inspect application layer, 102 are decoder event only
3/1/2018 -- 12:14:43 - <Info> -- fast output device (regular) initialized: alerts.log
3/1/2018 -- 12:14:43 - <Info> -- http-log output device (regular) initialized: http.log
3/1/2018 -- 12:14:43 - <Info> -- Using 2 live device(s).
3/1/2018 -- 12:14:43 - <Notice> -- all 6 packet processing threads, 2 management threads initialized, engine started.


Whenever I run suricata in inline mode, it seems to break the interface it is running on/drop all traffic for it. Though this only happens when maxing out my connection speed during load testing. Nothing is being blocked in legacy mode when I try the same thing, so it's not a matter of alerts triggering a block.

The system, which is a VM on an ESXi host with an intel pro/1000 pt NIC passed through, should be able to run suricata without any problems in inline mode.

Specs:
4 vCPU cores
8GB RAM
Intel pro/1000 pt dual port NIC

Edit:
Kernel log:

Code: [Select]
Jan  3 12:14:18 fwl01 php-fpm[14407]: /suricata/suricata_interfaces.php: [Suricata] Updating rules configuration for: WAN ...
Jan  3 12:14:20 fwl01 php-fpm[14407]: /suricata/suricata_interfaces.php: [Suricata] Enabling any flowbit-required rules for: WAN...
Jan  3 12:14:20 fwl01 php-fpm[14407]: /suricata/suricata_interfaces.php: [Suricata] Building new sid-msg.map file for WAN...
Jan  3 12:14:20 fwl01 php-fpm[14407]: /suricata/suricata_interfaces.php: [Suricata] Updating rules configuration for: LAN ...
Jan  3 12:14:22 fwl01 php-fpm[14407]: /suricata/suricata_interfaces.php: [Suricata] Enabling any flowbit-required rules for: LAN...
Jan  3 12:14:22 fwl01 php-fpm[14407]: /suricata/suricata_interfaces.php: [Suricata] Building new sid-msg.map file for LAN...
Jan  3 12:14:22 fwl01 php-fpm[14407]: /suricata/suricata_interfaces.php: Toggle (suricata stopping) for WAN(WAN)...
Jan  3 12:14:22 fwl01 php-fpm[14407]: /suricata/suricata_interfaces.php: [Suricata] Suricata STOP for WAN(em0)...
Jan  3 12:14:23 fwl01 kernel: em0: promiscuous mode disabled
Jan  3 12:14:23 fwl01 php-fpm[14407]: /suricata/suricata_interfaces.php: [Suricata] Suricata START for WAN(em0)...
Jan  3 12:14:43 fwl01 kernel: em0: permanently promiscuous mode enabled
Jan  3 12:14:43 fwl01 check_reload_status: Linkup starting em0
Jan  3 12:14:43 fwl01 kernel: em0: link state changed to DOWN
Jan  3 12:14:44 fwl01 php-fpm[45319]: /rc.linkup: Hotplug event detected for WAN(wan) static IP (192.168.0.10 )
Jan  3 12:14:44 fwl01 check_reload_status: Reloading filter
Jan  3 12:14:46 fwl01 check_reload_status: Linkup starting em0
Jan  3 12:14:46 fwl01 kernel: em0: link state changed to UP
Jan  3 12:14:47 fwl01 php-fpm[92984]: /rc.linkup: Hotplug event detected for WAN(wan) static IP (192.168.0.10 )
Jan  3 12:14:47 fwl01 check_reload_status: rc.newwanip starting em0
Jan  3 12:14:47 fwl01 check_reload_status: Reloading filter
Jan  3 12:14:48 fwl01 php-fpm[92984]: /rc.newwanip: rc.newwanip: Info: starting on em0.
Jan  3 12:14:48 fwl01 php-fpm[92984]: /rc.newwanip: rc.newwanip: on (IP address: 192.168.0.10) (interface: WAN[wan]) (real interface: em0).
Jan  3 12:14:48 fwl01 check_reload_status: Reloading filter
Jan  3 12:15:19 fwl01 rc.gateway_alarm[18722]: >>> Gateway alarm: GW_WAN (Addr:192.168.0.1 Alarm:1 RTT:865ms RTTsd:1103ms Loss:21%)
« Last Edit: January 03, 2018, 06:46:03 am by alsteblieft »

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3215
  • Karma: +835/-0
    • View Profile
You are almost certainly hitting a Netmap compatibility problem.  Could be the higher interrupt rates that come with higher traffic rates, but also could be other buffer-related problems.  Netmap on FreeBSD, and then Netmap on FreeBSD within Suricata, are both still maturing technologies.  Translated to plain English that means expect some bugs to still be present.

I have tested Suricata inline mode with em0 virtual NICs on VMware Workstation VMs and it works, but I have not tried high traffic rates.  I don't really have a good way of simulating realistic loading in my simple home lab.  I have not tested Inline IPS Mode on ESXi virtual machines.

Bill