Drop traffic before processed by Suricata



  • Good day.
    I wanted to find out if there was an opportunity to block rules by any traffic before it was processed by Suricata, preferably via the Web GUI?

    I would also like to know if it is possible to set up Suricata so that if there are two WANs (and a processor with 4 cores), it processes one WAN with two cores, and the other with others?

    Sorry for my bad english.



  • @Uranus:

    I wanted to find out if there was an opportunity to block rules by any traffic before it was processed by Suricata, preferably via the Web GUI?

    Good Question.
    I would like to have that too because then i could filter out traffic with blocklists in pfBlockerNG first and then suricata doesnt have to process the blocked packets.
    It would reduce the alert numbers and would make it easier to concentrate on "real" possible attacks.



  • No, you can't selectively "position" Suricata at arbitrary points in the signal chain.  It can only work these two ways (unless someone wants to completely revamp the kernel's network stack and then customize the Suricata binary as well).

    1.  In Legacy Blocking Mode Suricata uses PCAP (via the libpcap library) to get a copy of every single packet coming in directly from the interface.  This capture of data happens as it exits the NIC driver (that's the best way to visualize it).  So in Legacy Mode Suricata sees every single packet that leaves the NIC driver for the interface.  It sees the traffic before the packet filter firewall does, so no firewall rules can be applied yet.

    2.  When using Inline IPS Mode Blocking, Suricata uses Netmap.  Netmap constructs a pipeline between the NIC driver and the kernel's network stack.  Suricata sits in the middle of this pipeline and can discard packets that need to be blocked.  It copies packets that are OK over to the kernel.  Again, all of this happens before the packet filter firewall.

    Bill



  • Аnd what can you say about:
    "I would also like to know if it is possible to set up Suricata so that if there are two WANs (and a processor with 4 cores), it processes one WAN with two cores, and the other with others?"



  • @Uranus:

    Аnd what can you say about:
    "I would also like to know if it is possible to set up Suricata so that if there are two WANs (and a processor with 4 cores), it processes one WAN with two cores, and the other with others?"

    The GUI does not offer that option.  The code for the GUI is all PHP, though, so you could make your own modifications to the generated configurations if you desire.  I've not researched them, but there are some CPU affinity options availabe in the suricata.yaml configuration.

    Bill



  • @bmeeks:

    @Uranus:

    Аnd what can you say about:
    "I would also like to know if it is possible to set up Suricata so that if there are two WANs (and a processor with 4 cores), it processes one WAN with two cores, and the other with others?"

    The GUI does not offer that option.  The code for the GUI is all PHP, though, so you could make your own modifications to the generated configurations if you desire.  I've not researched them, but there are some CPU affinity options availabe in the suricata.yaml configuration.

    Bill

    Well, I found this documentation, it just does not work, all the same, Suricata uses all the cores of the processor.
    Can anyone tell me where to read more information or point to an already ready sample configuration file (preferably for a processor with 4 cores)

    And I wanted to ask, but it will be very difficult for you to compile a Suricata with support CUDA? :)



  • @Uranus:

    And I wanted to ask, but it will be very difficult for you to compile a Suricata with support CUDA? :)

    That is not a currently included configuration option in the FreeBSD ports version of Suricata.  If you want to compile in all the CUDA stuff, you would be better off to use a dedicated physical machine with just the Suricata binary installed and configure your own inline IPS appliance with bridging.  You would also want to put a high-performance graphics card in it.  Such hardware is not generally included in firewall-grade appliances as there is usually no need for expensive and fast GPU chips in a firewall.

    The CUDA option for Suricata will be added only after it is included in the upstream FreeBSD ports version of Suricata.

    Bill



  • I understood,  just in my opinion it's much cheaper to buy a video card with the support of CUDA than to buy a new processor.
    Well, we'll wait, but for now we'll try to customize Suriсata. Maybe this will help improve performance. :)


Log in to reply