Project

General

Profile

Actions

Bug #6690

closed

SURICATA IPS Issue - Kills VLANS & Traffic Shaper

Added by Steven Kreitzer over 8 years ago. Updated almost 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Suricata
Target version:
-
Start date:
08/10/2016
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
2.3.x
Affected Plus Version:
Affected Architecture:
All

Description

Strips 802.1q tagged traffic from an interface when running inline IPS mode.
Traffic shapper no longer works as one single interface can use up the whole upstream bandwidth.

Actions #1

Updated by Jim Thompson over 8 years ago

  • Category set to Suricata
  • Assignee set to Luiz Souza
  • Target version set to 2.4.0
  • Affected Version set to 2.3.x
  • Affected Architecture All added
  • Affected Architecture deleted ()
Actions #2

Updated by Sandeep K V over 8 years ago

Hi Steven Kreitzer and Jim Thompson isn't this the expected way the IPS has to work?

Actions #3

Updated by Steven Kreitzer over 8 years ago

Sandeep K V wrote:

Hi Steven Kreitzer and Jim Thompson isn't this the expected way the IPS has to work?

No, and it definitely shouldn't be stripping 802.1q traffic. I know it uses netcap and it may be an error on netcaps side.

Actions #4

Updated by Kill Bill about 8 years ago

There's already #6023 for netmap + shaping.

Actions #5

Updated by Kill Bill almost 8 years ago

In general, I'd say people who wish to use Snort/Suricata as IPS should look into divert sockets instead. The netmap thing is super-broken, hardware limited and in general not getting anywhere AFAICT.

Actions #6

Updated by Jim Thompson almost 8 years ago

Steven Kreitzer wrote:

Sandeep K V wrote:

Hi Steven Kreitzer and Jim Thompson isn't this the expected way the IPS has to work?

No, and it definitely shouldn't be stripping 802.1q traffic. I know it uses netcap and it may be an error on netcaps side.

My guess is that Suricata is stripping the tags. Likely the queue info is getting lost somewhere in that path as well.

Actions #7

Updated by Jim Thompson almost 8 years ago

Kill Bill wrote:

There's already #6023 for netmap + shaping.

"Shaping" is a hack that shouldn't have happened.

Actions #8

Updated by Jens Leinenbach over 7 years ago

Jim Thompson wrote:

Steven Kreitzer wrote:

Sandeep K V wrote:

Hi Steven Kreitzer and Jim Thompson isn't this the expected way the IPS has to work?

No, and it definitely shouldn't be stripping 802.1q traffic. I know it uses netcap and it may be an error on netcaps side.

My guess is that Suricata is stripping the tags. Likely the queue info is getting lost somewhere in that path as well.

A VLAN tag bug was fixed with Suricata version 3.2.1 that is available for pfSense. Can somebody please verify if this bug still exists as I think I had this issue with version 3.2.1.
https://redmine.openinfosecfoundation.org/issues/1780

Actions #9

Updated by Luiz Souza over 7 years ago

  • Target version changed from 2.4.0 to 2.4.1
Actions #10

Updated by Jim Pingle about 7 years ago

  • Target version changed from 2.4.1 to 2.4.2
Actions #11

Updated by Jim Pingle about 7 years ago

  • Target version changed from 2.4.2 to 2.4.3
Actions #12

Updated by Jim Pingle almost 7 years ago

  • Status changed from New to Feedback
  • Target version changed from 2.4.3 to 2.4.4

Still waiting on feedback/new testing on current versions of pfSense and suricata

Actions #13

Updated by Anonymous over 6 years ago

  • Status changed from Feedback to Closed
  • Target version deleted (2.4.4)

Marking this closed due to lack of feedback. If you believe this should be reopened, please let us know.

Actions #14

Updated by Tenzen Tunkman almost 5 years ago

This issue is still not solved - Inline filtering will break traffic shaping as well as for example traffic graph functionality

Actions #15

Updated by Bill Meeks almost 5 years ago

Tenzen Tunkman wrote:

This issue is still not solved - Inline filtering will break traffic shaping as well as for example traffic graph functionality

This may actually be a limitation inherent in the way netmap works and not really a bug that is easily fixable. Netmap is a somewhat radically different "plumbing method" for routing network traffic, and as such is likely to break other ancilary features like limiters that rely on the more conventional kernel-based network plumbing.

If a user has a strong need for limiters, it may be better to put Suricata on a different hardware platform either upstream of downstream of the firewall such that the limiter can run on the firewall with conventional networking while the inline IPS executes on a different box where the unconventional netmap re-mapping of the network plumbing won't impact limiters or traffic graphing. I get this is not as attractive as a one-box solution, but with some technologies there are tradeoffs.

Actions

Also available in: Atom PDF