[Oisf-users] Suricata inspects all packets?

Andreas Herz andi at geekosphere.org
Thu May 12 09:39:45 UTC 2016

On 11/05/16 at 17:18, Vishal Kotalwar V wrote:
> Thanks for the reply Andreas. 
> So you mean to say Suricata will receive all the packets and verdict
> given is per packet not per flow. This makes sense when no of attacks
> is more and we want to inspect each and every packet as we don't know
> which packet in a flow/stream may contain malicious data. But isn't
> this a huge overhead when we are talking about 10-40Gbps of line rate
> where most of the traffic is legitimate.

You can decide, based on your iptables/nftables rules, which packets are
received by suricata.
But if you want to investigate a connection/flow you need to make sure
every corresponding packet is going into suricata.

To reduce overhead you can add additional rules in front of suricata,
like droping STATE=invalid or other things you see no gain in

> Will it be a good idea to allow or block traffic at netfilter/kernel
> it self based on the verdict suricata has given for initial packets of
> that flow/stream?

Not 100% sure what you want to achieve.

> Thanks & regards, Vishal V. Kotalwar
> ----- Original Message ----- From: "Andreas Herz"
> <andi at geekosphere.org> To: "oisf-users"
> <oisf-users at lists.openinfosecfoundation.org> Sent: Wednesday, May 11,
> 2016 4:40:44 PM Subject: Re: [Oisf-users] Suricata inspects all
> packets?
> On 10/05/16 at 16:57, Vishal Kotalwar V wrote:
> > Hi, I am new to IPS/IDS and netfilter framework. I have a query on
> > packet handling by suricata & netfilter. 
> > 
> > In IPS mode, we add iptables rule to pass packets to NFQ on which
> > suricata is listening. Suricata processes those packets and issues
> > verdict for that flow.  Does netfilter send packets from same flow
> > to suricata even after verdict is given? I would assume that
> > conntrack would kick-in here to bypass the queuing for optimization
> > ...  is that right? But conntrack is not mandatory for
> > suricata/netfilter functioning. 
> Unless you filter some packets by state using the ctstate match, you
> should see all packets. That depends on your ruleset for netfilter,
> but as long as every packet from FORWARD (or INPUT/OUTPUT) arrives in
> NFQUEUE it should be fine.
> -- Andreas Herz _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/ List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC:
> http://oisfevents.net

Andreas Herz

More information about the Oisf-users mailing list