[Oisf-users] Suricata Inline with Netmap transparent mode

[Brandon Reeves]

We are attempting to get Suricata working inline with netmap transparently. Basically, we want the ability to drop a box between traffic and have it be an IPS. We have netmap built into the kernel (currently FreeBSD 10.3) and suricata installed. However when we put the device inline, it doesnt appear that traffic is being passed between the interfaces to let the connections out.


Here is our netmap config:

netmap:
   # To specify OS endpoint add plus sign at the end (e.g. "eth0+")
  - interface: default
    threads: auto
    copy-mode: ips
    disable-promisc: no #  promiscuous mode
    checksum-checks: auto

  - interface: em4
    copy-iface: em5

  - interface: em5
    copy-iface: em4

Notes:

Suricata starts fine (no errors)

Traffic does not pass from internal to external (em4=internal / em5=external)

Suricata does appear to catch traffic on the em4 (internal interface)


Config:

FreeBSD 10.3 (rebuilt kernel with netmap)

Suricata version 3.0 RELEASE


Can anyone provide guidance related to getting suricata setup inline with netmap transparently? We need to deploy these without disrupting networks etc, so we just want them to be in the path of the packets, not part of the route.


Thanks

Brandon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160831/97916911/attachment-0001.html>