<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<p>We have got suricata+netmap working in IPS mode. Once we bring it up, we can ping through the device as if it wasnt there. However, within a few seconds of receiving traffic, all packets stop passing across suricata. This means that all traffic outbound
+ inbound also stop. All we have to do is restart suricata and the issue repeats. We have tried multiple versions of FreeBSD as well as suricata and the same issue appears. We have done little to tune the default suricata.yaml since we have been combating
this issue other than configuring the interfaces. We have also used the default suricata.yaml from 3.0 and 3.1.1.</p>
<p><br>
</p>
<p>Compile Options</p>
<p>--enable-geoip --enable-netmap --localstatedir=/var/</p>
<p><br>
</p>
<p>Config + setup(s):</p>
<p>Suricata 3.0 Release</p>
<p>Suricata 3.1.1 Release</p>
<p>FreeBSD 10.3 Release (Custom kernel + netmap compiled)</p>
<p>FreeBSD 11 RC2 (netmap built-in no customization)</p>
<p>Silicom PEG4i Quad Gigabit Bypass Card</p>
<p>8 Core i7</p>
<p>32GB Memory</p>
<p><br>
</p>
<p>Interface config: suricata.yaml</p>
<p></p>
<div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 16px;">
- interface: em5</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 16px;">
threads: auto</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 16px;">
copy-mode: ips</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 16px;">
copy-iface: em4</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 16px;">
disable-promisc: no</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 16px;">
checksum-checks: auto</div>
</div>
<div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 16px;">
- interface: em4</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 16px;">
threads: auto</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 16px;">
copy-mode: ips</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 16px;">
copy-iface: em5</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 16px;">
disable-promisc: no</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 16px;">
checksum-checks: auto</div>
</div>
<div><br>
</div>
<br>
<p></p>
<p>Please advise on how I can troubleshoot this issue</p>
<p><br>
</p>
<p>Thanks</p>
<p>Brandon</p>
</div>
</body>
</html>