[Oisf-users] Suricata inspects all packets?

Andreas Herz andi at geekosphere.org
Fri May 13 05:53:10 UTC 2016 

On 12/05/16 at 15:27, Vishal Kotalwar V wrote:
> Andreas,
> 
> >To reduce overhead you can add additional rules in front of suricata,
> >like droping STATE=invalid or other things you see no gain in
> >investigating.
> Good idea, will definitely try this.
> 
> >Not 100% sure what you want to achieve
> 
> Let me try to explain this way ...
> 
> Suppose there is a connection/flow between A & B, suricata
> investigates this flow and issues a verdict to drop packets for this
> flow. Wouldn't it be wise not to send any more packets from this
> connection/flow (A<->B) to suricata for processing as we already know
> that it is bad. We can reduce load on suricata as well as on system
> resources.

That's rather difficult, you could try to use MARKS and send the packets
back into netfilter and then set some CONNMARK and then drop the
packets.
But I doubt that you would gain that much especially if it's just for
the specific connection/flow. 

> Thanks & regards, Vishal V. Kotalwar
> 
> ----- Original Message ----- From: "Andreas Herz"
> <andi at geekosphere.org> To: "Vishal Kotalwar V"
> <vishalkv at altencalsoftlabs.com> Cc: "oisf-users"
> <oisf-users at lists.openinfosecfoundation.org> Sent: Thursday, May 12,
> 2016 3:09:45 PM Subject: Re: [Oisf-users] Suricata inspects all
> packets?
> 
> On 11/05/16 at 17:18, Vishal Kotalwar V wrote:
> > Thanks for the reply Andreas. 
> > 
> > So you mean to say Suricata will receive all the packets and verdict
> > given is per packet not per flow. This makes sense when no of
> > attacks is more and we want to inspect each and every packet as we
> > don't know which packet in a flow/stream may contain malicious data.
> > But isn't this a huge overhead when we are talking about 10-40Gbps
> > of line rate where most of the traffic is legitimate.
> 
> You can decide, based on your iptables/nftables rules, which packets
> are received by suricata.  But if you want to investigate a
> connection/flow you need to make sure every corresponding packet is
> going into suricata.
> 
> To reduce overhead you can add additional rules in front of suricata,
> like droping STATE=invalid or other things you see no gain in
> investigating.
> 
> > Will it be a good idea to allow or block traffic at netfilter/kernel
> > it self based on the verdict suricata has given for initial packets
> > of that flow/stream?
> 
> Not 100% sure what you want to achieve.
> 
> > Thanks & regards, Vishal V. Kotalwar
> > 
> > ----- Original Message ----- From: "Andreas Herz"
> > <andi at geekosphere.org> To: "oisf-users"
> > <oisf-users at lists.openinfosecfoundation.org> Sent: Wednesday, May
> > 11, 2016 4:40:44 PM Subject: Re: [Oisf-users] Suricata inspects all
> > packets?
> > 
> > On 10/05/16 at 16:57, Vishal Kotalwar V wrote:
> > > Hi, I am new to IPS/IDS and netfilter framework. I have a query on
> > > packet handling by suricata & netfilter. 
> > > 
> > > In IPS mode, we add iptables rule to pass packets to NFQ on which
> > > suricata is listening. Suricata processes those packets and issues
> > > verdict for that flow.  Does netfilter send packets from same flow
> > > to suricata even after verdict is given? I would assume that
> > > conntrack would kick-in here to bypass the queuing for
> > > optimization ...  is that right? But conntrack is not mandatory
> > > for suricata/netfilter functioning. 
> > 
> > Unless you filter some packets by state using the ctstate match, you
> > should see all packets. That depends on your ruleset for netfilter,
> > but as long as every packet from FORWARD (or INPUT/OUTPUT) arrives
> > in NFQUEUE it should be fine.
> > 
> > 
> > -- Andreas Herz _______________________________________________
> > Suricata IDS Users mailing list:
> > oisf-users at openinfosecfoundation.org Site: http://suricata-ids.org |
> > Support: http://suricata-ids.org/support/ List:
> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > Suricata User Conference November 9-11 in Washington, DC:
> > http://oisfevents.net
> 
> -- Andreas Herz

-- 
Andreas Herz

More information about the Oisf-users mailing list