[Oisf-users] Suricata inspects all packets?

Vishal Kotalwar V vishalkv at altencalsoftlabs.com
Thu May 12 09:57:27 UTC 2016


Andreas,

>To reduce overhead you can add additional rules in front of suricata,
>like droping STATE=invalid or other things you see no gain in
>investigating.
Good idea, will definitely try this.

>Not 100% sure what you want to achieve

Let me try to explain this way ...

Suppose there is a connection/flow between A & B, suricata investigates this flow and issues a verdict to drop packets for this flow. Wouldn't it be wise not to send any more packets from this connection/flow (A<->B) to suricata for processing as we already know that it is bad. We can reduce load on suricata as well as on system resources.

Thanks & regards, 
Vishal V. Kotalwar

----- Original Message -----
From: "Andreas Herz" <andi at geekosphere.org>
To: "Vishal Kotalwar V" <vishalkv at altencalsoftlabs.com>
Cc: "oisf-users" <oisf-users at lists.openinfosecfoundation.org>
Sent: Thursday, May 12, 2016 3:09:45 PM
Subject: Re: [Oisf-users] Suricata inspects all packets?

On 11/05/16 at 17:18, Vishal Kotalwar V wrote:
> Thanks for the reply Andreas. 
> 
> So you mean to say Suricata will receive all the packets and verdict
> given is per packet not per flow. This makes sense when no of attacks
> is more and we want to inspect each and every packet as we don't know
> which packet in a flow/stream may contain malicious data. But isn't
> this a huge overhead when we are talking about 10-40Gbps of line rate
> where most of the traffic is legitimate.

You can decide, based on your iptables/nftables rules, which packets are
received by suricata.
But if you want to investigate a connection/flow you need to make sure
every corresponding packet is going into suricata.

To reduce overhead you can add additional rules in front of suricata,
like droping STATE=invalid or other things you see no gain in
investigating.

> Will it be a good idea to allow or block traffic at netfilter/kernel
> it self based on the verdict suricata has given for initial packets of
> that flow/stream?

Not 100% sure what you want to achieve.

> Thanks & regards, Vishal V. Kotalwar
> 
> ----- Original Message ----- From: "Andreas Herz"
> <andi at geekosphere.org> To: "oisf-users"
> <oisf-users at lists.openinfosecfoundation.org> Sent: Wednesday, May 11,
> 2016 4:40:44 PM Subject: Re: [Oisf-users] Suricata inspects all
> packets?
> 
> On 10/05/16 at 16:57, Vishal Kotalwar V wrote:
> > Hi, I am new to IPS/IDS and netfilter framework. I have a query on
> > packet handling by suricata & netfilter. 
> > 
> > In IPS mode, we add iptables rule to pass packets to NFQ on which
> > suricata is listening. Suricata processes those packets and issues
> > verdict for that flow.  Does netfilter send packets from same flow
> > to suricata even after verdict is given? I would assume that
> > conntrack would kick-in here to bypass the queuing for optimization
> > ...  is that right? But conntrack is not mandatory for
> > suricata/netfilter functioning. 
> 
> Unless you filter some packets by state using the ctstate match, you
> should see all packets. That depends on your ruleset for netfilter,
> but as long as every packet from FORWARD (or INPUT/OUTPUT) arrives in
> NFQUEUE it should be fine.
> 
> 
> -- Andreas Herz _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/ List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC:
> http://oisfevents.net

-- 
Andreas Herz



More information about the Oisf-users mailing list