Other Suricata in IPS mode blocks pkg/portsnap

F

FlorinMarian

Hello!
I own a small hosting company and among the templates offered to clients, there is also FreeBSD.
The problem I'm facing is that Suricata in IDS mode, even without any active rules (I disabled them all for the test), blocks any pkg/portsnap activity after a while (usually after 75% of the download).
I discovered here on the Forum that someone had the same problem and the solution was to disable the IDS at the host level (Suricata is installed on proxmox and FreeBSD is installed on the KVM guest).
Any ideas for solving this problem?
Thanks in advance!
Example of stopped install:
Code: 
root@hazi:~ # pkg install mysql57-server
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 13 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        cyrus-sasl: 2.1.28
        groff: 1.22.4_4
        libedit: 3.1.20221030,1
        libevent: 2.1.12
        liblz4: 1.9.4,1
        libpaper: 1.1.28
        mysql57-client: 5.7.42
        mysql57-server: 5.7.42
        openldap26-client: 2.6.4
        perl5: 5.32.1_3
        protobuf: 3.21.12,1
        psutils: 1.17_5
        uchardet: 0.0.8

Number of packages to be installed: 13

The process will require 287 MiB more space.
39 MiB to be downloaded.

Proceed with this action? [y/N]: y
[1/13] Fetching protobuf-3.21.12,1.pkg: 100%    3 MiB   1.7MB/s    00:02
[2/13] Fetching cyrus-sasl-2.1.28.pkg: 100%  989 KiB   1.0MB/s    00:01
[3/13] Fetching liblz4-1.9.4,1.pkg: 100%  136 KiB 138.9kB/s    00:01
[4/13] Fetching mysql57-server-5.7.42.pkg: 100%   14 MiB   3.0MB/s    00:05
[5/13] Fetching groff-1.22.4_4.pkg: 100%    3 MiB   1.4MB/s    00:02
[6/13] Fetching uchardet-0.0.8.pkg: 100%  112 KiB 114.4kB/s    00:01
[7/13] Fetching mysql57-client-5.7.42.pkg:  33%  656 KiB 671.7kB/s    00:02 ETA
 
Instead of disable IDS search why the traffic has been dropped by Suricata. (timeouts, defrag memory limit etc..)

github.com

suricata/suricata.yaml.in at master-6.0.x · OISF/suricata

Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine developed by the OISF and the Suricata community. - OISF/suricata
github.com github.com

Or ignore the traffic to and from that VM.


I don't see any relations between the FreeBSD VM and this problem. You may have better luck asking on Suricata forum.
 
Last edited:
Package downloads are simply HTTP(S) file transfers. They're regular downloads like you would on any other website. I would take a look at the reason why Suricata blocks the traffic.
 
You must log in or register to reply here.
Back
Top