[Oisf-users] Suricata inspects all packets?
Vishal Kotalwar V
vishalkv at altencalsoftlabs.com
Thu May 12 09:11:47 UTC 2016
Any views on this?
Thanks & regards,
Vishal V. Kotalwar
----- Original Message -----
From: "Vishal Kotalwar V" <vishalkv at altencalsoftlabs.com>
To: "Andreas Herz" <andi at geekosphere.org>
Cc: "oisf-users" <oisf-users at lists.openinfosecfoundation.org>
Sent: Wednesday, May 11, 2016 5:18:00 PM
Subject: Re: [Oisf-users] Suricata inspects all packets?
Thanks for the reply Andreas.
So you mean to say Suricata will receive all the packets and verdict given is per packet not per flow. This makes sense when no of attacks is more and we want to inspect each and every packet as we don't know which packet in a flow/stream may contain malicious data. But isn't this a huge overhead when we are talking about 10-40Gbps of line rate where most of the traffic is legitimate.
Will it be a good idea to allow or block traffic at netfilter/kernel it self based on the verdict suricata has given for initial packets of that flow/stream?
Thanks & regards,
Vishal V. Kotalwar
----- Original Message -----
From: "Andreas Herz" <andi at geekosphere.org>
To: "oisf-users" <oisf-users at lists.openinfosecfoundation.org>
Sent: Wednesday, May 11, 2016 4:40:44 PM
Subject: Re: [Oisf-users] Suricata inspects all packets?
On 10/05/16 at 16:57, Vishal Kotalwar V wrote:
> Hi,
> I am new to IPS/IDS and netfilter framework. I have a query on packet handling by suricata & netfilter.
>
> In IPS mode, we add iptables rule to pass packets to NFQ on which suricata is listening. Suricata processes those packets and issues verdict for that flow.
> Does netfilter send packets from same flow to suricata even after verdict is given? I would assume that conntrack would kick-in here to bypass the queuing for optimization ...
> is that right? But conntrack is not mandatory for suricata/netfilter functioning.
Unless you filter some packets by state using the ctstate match, you
should see all packets. That depends on your ruleset for netfilter, but
as long as every packet from FORWARD (or INPUT/OUTPUT) arrives in
NFQUEUE it should be fine.
--
Andreas Herz
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net
More information about the Oisf-users
mailing list