[Oisf-devel] innovation

[m]

Surricata; Innovation. Maybe this suggestion will help.
I only suggest this from my experience with linux networking. As far as 
BSD, MAC, and Windows I humbly leave others to ponder solutions.

I am using Suricata with the ET rules and it works but queuing in 
iptables rules breaks the logical flow.
That is not innovative... It is ugly. I don't like that mess.

On linux platforms Suricata could be implemented as a kernel module and 
integrated into the system, instead of running in user space.
It would be much more efficient, especially when used as an IPS.

Then a new xtables target and match, would allow a direct interface 
using iptables rules, instead of using the current queuing mechanism 
which is not very flexible and returns no information.

Instead of using Suricata to handle disposition we would remove all 
Suricata action code, and just return the packet with a reserved mark.
Packets processed by Suricata rules would then be matched against the 
mark and acted upon with an iptables match rule, while the rest continue 
to traverse iptables rules. Logging of actions then becomes child play.

I do similar stuff with the GeoIP and ipset modules and that works fast 
and fine. I am sure doing this is the best idea, for Suricata on linux.

This linux modular code can be a fork from the main code so the project 
is not changed from it's original form. Won't break anything.

The person to discuss this with is Jan Engelhardt, who would also make a 
great member of the Suricata team on behalf of linux. (begging helps;-)


best regards,

Marty B.