martinbarrowcliff at gmail.com
Wed Aug 11 17:42:11 UTC 2010
Surricata; Innovation. Maybe this suggestion will help.
I only suggest this from my experience with linux networking. As far as
BSD, MAC, and Windows I humbly leave others to ponder solutions.
I am using Suricata with the ET rules and it works but queuing in
iptables rules breaks the logical flow.
That is not innovative... It is ugly. I don't like that mess.
On linux platforms Suricata could be implemented as a kernel module and
integrated into the system, instead of running in user space.
It would be much more efficient, especially when used as an IPS.
Then a new xtables target and match, would allow a direct interface
using iptables rules, instead of using the current queuing mechanism
which is not very flexible and returns no information.
Instead of using Suricata to handle disposition we would remove all
Suricata action code, and just return the packet with a reserved mark.
Packets processed by Suricata rules would then be matched against the
mark and acted upon with an iptables match rule, while the rest continue
to traverse iptables rules. Logging of actions then becomes child play.
I do similar stuff with the GeoIP and ipset modules and that works fast
and fine. I am sure doing this is the best idea, for Suricata on linux.
This linux modular code can be a fork from the main code so the project
is not changed from it's original form. Won't break anything.
The person to discuss this with is Jan Engelhardt, who would also make a
great member of the Suricata team on behalf of linux. (begging helps;-)
More information about the Oisf-devel