Return to

Suricata inline mode: Does anyone have this working?


Alright, the setup.
an old i3 4160 HP ProDesk 400 G1 with the realtek onboard nic disabled in the bios, 8GB of ram, and a Intel I340-T4 Quad Port for everything else. Also Hyper-Threading is disabled.

I have a few vlans set up but nothing serious, a few vpn clients that are always connected, and that’s really it. Oh, and a fios 1GB connection.

Moving on,
I’ve managed to more or less tame Suricata in legacy mode to my liking, not too much noise, but decent/adequate blocking. When I enable inline mode on only one interface, wan, it works for about 10 mins then services begin to crash, including DNS. If I start a speedtest, I can get it to crash before the 10 mins.

I’ve gone through the interfaces and increased the amount of ram for Fragmentation Memory Cap, Flow Memory Cap, & Stream Memory Cap. All x4 the default value. I’ve uninstalled unnecessary packages as well.

The frustrating thing is trying to get to the log after the crash as it won’t come up until after a restart. Plus I don’t really know what I’m looking at. During operation i’m well within any cpu & memory tolerances.

Does anybody have this working? What am I missing? There has to be a nic that supports Netmap, I thought for sure a I340-T4 would.