[Oisf-users] IPS advice wanted

Victor Julien lists at inliniac.net
Wed Aug 13 12:41:28 UTC 2014

On 08/12/2014 04:13 PM, David Nadle wrote:
> I’m running Suricata in inline mode on a small Centos-6.5 server with an
> 8-core Atom processor and 16 GB of RAM. This is to protect a small home
> office / residence.
> I started out running in workers mode. Unfortunately I haven’t been able
> to get the NFQUEUE –queue-balance to work with the Centos 6.5 kernel. It
> sends everything to queue zero. So I created forwading rules that send
> the inbound traffic to queue 0 and the outbound to queue 1.
> -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j
> NFQUEUE --queue-num 0
> -A FORWARD -i eth1 -o eth0 -j NFQUEUE --queue-num 1
> This seemed to work ok but it means I have just two threads running. I
> also had to have my VOIP phone bypass the queue. Too many dropouts.
> I’m currently trying autofp mode with a single queue, (14 processing
> threads, 3 management threads) and even though I’ve set memcap values
> very generously I see nonzero tcp.reassembly_gap, I’m also seeing some
> buffering issues with video streaming services like Netflix. While this
> load is going on the server CPU and RAM are not especially taxed.
> There’s lots of idle percentage and lots of RAM free.

I think here the single packet acquisition thread can't feed the detect
threads fast enough.

> What should I try next? Should I go back to workers mode? I thought
> about splitting into 4 queues by inbound/outbound, tcp/other. Should I
> have video streaming clients bypass the IPS as well?

If you're stuck with CentOS6.5 I think this is the best option. If
you're able to upgrade the OS then the queue balancing is probably best.

Wrt video bypass, I think with some nfq/iptables magic you could do
quite some interesting things here. But it's non-trivial to set up.

It Eric's blog post here
https://home.regit.org/2012/10/defend-your-network-from-word/ you can
find some examples of how using the nfq_set_mark rule keyword in
Suricata you can interact with the iptables ruleset.

In short, you could have Suricata rules detecting video streams, set a
mark, then in iptables make sure this leads to ACCEPT instead of NFQUEUE
for the rest of the connection.

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-users mailing list