[Oisf-devel] Suricata and Open vSwitch integration

Victor Julien lists at inliniac.net
Mon Sep 30 11:34:29 UTC 2019 

Hi Ansis,

On 30-09-19 06:00, Ansis wrote:
> I am one of the Open vSwitch developers who are investigating how
> Suricata could be integrated with Open vSwitch project. Open vSwitch
> is a multi platform software switch that is used in, but not limited
> to, network virtualization. I am mostly interested in IDS at this
> stage.
> 
> I looked into various packet acquisition interfaces that Suricata
> already supports. However, none of them seem to be able to achieve
> what we want, because:
> 1. Open vSwitch is programmed through Open Flow rules and we would
> like to retain ability to selectively steer some of the traffic for L7
> inspection to Suricata by using them. While letting some other traffic
> running on well know ports to bypass suricata. This eliminates NFQueue
> and alike acquisition interfaces because they happen outside OpenFlow
> packet pipeline stage.

If it only is IDS you care about, could Suricata simply listen on a
(virtual) span port? I suppose (almost) no Suricata changes would be
required if we can use the normal AF_PACKET capture on that port. The
OVS system could then somehow determine what traffic is and isn't copied
to this span port?


> 2. Open vSwitch should be capable to deal with overlapping IP address
> spaces where the same Open vSwitch+Suricata instance should be able to
> differentiate traffic between two VMs that possibly could have exactly
> the same IP addresses.

Right now in Suricata we can only do this for VLAN (and QinQ). But we're
planning to add more ways.


> 3. Performance considerations.

What is your main performance concern?


> 
> 
> Having said that I am considering following designs:
> 1. link Suricata against libopenvswitch so that Suricata could act as
> OpenFlow controller to which Open vSwitch process could connect. This
> would solve #1 consideration. However, talking over Unix domain
> sockets is expensive so #3 will probably fail.

If I understand OVS correctly, this is not about transferring packets or
alerts or anything like that, but instead about Suricata somehow
instructing OVS to make certain policy decisions?


> 2. decouple Suricata IDS logic into a shared library and let Open
> vSwitch load it with dlopen(). This would solve #1 and #3 (as packet
> inspection would happen in Open vSwitch process space and would avoid
> copying packet and do a context switch). Currently Open vSwitch does
> not allow to load *.so plugins, but there is a patch in progress
> [https://patchwork.ozlabs.org/patch/1063736/] that I sent out and will
> set the precedent how the v1 API for such plugins would have to look
> like.

A library version of Suricata is not currently available. There is some
discussion about creating this, but nothing usable exists right now.


> Depending on design we take now, it may enforce constraints on one or
> both projects to implement certain APIs that we both projects would
> have to agree upon.

Not sure I understand what kind of constraints you have in mind here?


> Any other suggestions in case I am missing something?

Not right now. Maybe when I understand the use case(s) a bit more.

Cheers,
Victor

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-devel mailing list