suricata performance with a s like security · filters are injected by userspace in kernel via...
TRANSCRIPT
![Page 1: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/1.jpg)
Suricata Performance with a S like Security
É. Leblond
Stamus Networks
July. 03, 2018
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 1 / 31
![Page 2: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/2.jpg)
1 IntroductionFeaturesReconstruction work
2 ProblemPacket loss impactElephant flowWork less to get more
3 BypassIntroducing bypassBypass strategy
4 Hipster technologies to the rescueeBPFAF_PACKET bypass via eBPFXDP support
5 Conclusion
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 1 / 31
![Page 3: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/3.jpg)
1 IntroductionFeaturesReconstruction work
2 ProblemPacket loss impactElephant flowWork less to get more
3 BypassIntroducing bypassBypass strategy
4 Hipster technologies to the rescueeBPFAF_PACKET bypass via eBPFXDP support
5 Conclusion
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 1 / 31
![Page 4: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/4.jpg)
What it is not ?
https://twitter.com/randomuserid/status/1012474246503845888
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 2 / 31
![Page 5: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/5.jpg)
A signature based IDS
From individual traffic todetection
Get packet per packetReconstruct to applicationlayerRun detection engine
IdentityGPLv2owned by OISF (non for profitfoundation)Scalability via multithreadingWritten in C and Rust
Example signature
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 3 / 31
![Page 6: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/6.jpg)
Suricata (Bro) NSM features
Supported protocolsProtocol analysis: http, ftp, smtp, tls, ssh smb, dcerpc, dns, nfs,ntp, ftp-data, tftp, ikev2, krb5, dhcpProtocol recognition: imap, msn
Log example
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 4 / 31
![Page 7: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/7.jpg)
What it is ? or how to please developers
https://twitter.com/randomuserid/status/1012705279098490880
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 5 / 31
![Page 8: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/8.jpg)
File related features
File analysisMagic computation and in file data matchChecksum computation and file extraction to diskSupported protocols: http, smtp, smb, ftp, nfs
Fileinfo example
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 6 / 31
![Page 9: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/9.jpg)
1 IntroductionFeaturesReconstruction work
2 ProblemPacket loss impactElephant flowWork less to get more
3 BypassIntroducing bypassBypass strategy
4 Hipster technologies to the rescueeBPFAF_PACKET bypass via eBPFXDP support
5 Conclusion
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 6 / 31
![Page 10: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/10.jpg)
Suricata reconstruction and normalization
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 7 / 31
![Page 11: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/11.jpg)
1 IntroductionFeaturesReconstruction work
2 ProblemPacket loss impactElephant flowWork less to get more
3 BypassIntroducing bypassBypass strategy
4 Hipster technologies to the rescueeBPFAF_PACKET bypass via eBPFXDP support
5 Conclusion
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 7 / 31
![Page 12: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/12.jpg)
1 IntroductionFeaturesReconstruction work
2 ProblemPacket loss impactElephant flowWork less to get more
3 BypassIntroducing bypassBypass strategy
4 Hipster technologies to the rescueeBPFAF_PACKET bypass via eBPFXDP support
5 Conclusion
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 7 / 31
![Page 13: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/13.jpg)
Impact of loosing packets
MethodologyUse a sample trafficModify the pcap file to have specified random packet lossDo it 3 times par packet lossGet graph out of that
Test dataUsing a test pcap of 445Mo.Real traffic but lot of malicious behaviorsTraffic is a bit old
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 8 / 31
![Page 14: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/14.jpg)
Alert loss by packet loss
Some numbers10% missed alerts with 3% packets loss50% missed alerts with 25% packets loss
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 9 / 31
![Page 15: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/15.jpg)
The case of file extraction
Some numbers10% failed file extraction with 0.4% packets loss50% failed file extraction with 5.5% packets loss
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 10 / 31
![Page 16: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/16.jpg)
1 IntroductionFeaturesReconstruction work
2 ProblemPacket loss impactElephant flowWork less to get more
3 BypassIntroducing bypassBypass strategy
4 Hipster technologies to the rescueeBPFAF_PACKET bypass via eBPFXDP support
5 Conclusion
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 10 / 31
![Page 17: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/17.jpg)
The elephant flow problem (1/2)
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 11 / 31
![Page 18: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/18.jpg)
The elephant flow problem (1/2)
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 11 / 31
![Page 19: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/19.jpg)
The elephant flow problem (1/2)
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 11 / 31
![Page 20: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/20.jpg)
The elephant flow problem (2/2)
Ring buffer overrunLimited sized ring bufferOverrun cause packets lossthat cause streaming malfunction
Ring size increaseWork aroundUse memoryFail for non burst
Dequeue at NQueue at speed N+M
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 12 / 31
![Page 21: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/21.jpg)
1 IntroductionFeaturesReconstruction work
2 ProblemPacket loss impactElephant flowWork less to get more
3 BypassIntroducing bypassBypass strategy
4 Hipster technologies to the rescueeBPFAF_PACKET bypass via eBPFXDP support
5 Conclusion
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 12 / 31
![Page 22: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/22.jpg)
Stream depth method
Attacks characteristicIn most cases attack is done at start of TCP sessionGeneration of requests prior to attack is not commonMultiple requests are often not even possible on same TCPsession
Stream reassembly depthReassembly is done till stream.reassembly.depth bytes.Stream is not analyzed once limit is reachedIndividual packet continue to be inspected
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 13 / 31
![Page 23: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/23.jpg)
1 IntroductionFeaturesReconstruction work
2 ProblemPacket loss impactElephant flowWork less to get more
3 BypassIntroducing bypassBypass strategy
4 Hipster technologies to the rescueeBPFAF_PACKET bypass via eBPFXDP support
5 Conclusion
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 13 / 31
![Page 24: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/24.jpg)
1 IntroductionFeaturesReconstruction work
2 ProblemPacket loss impactElephant flowWork less to get more
3 BypassIntroducing bypassBypass strategy
4 Hipster technologies to the rescueeBPFAF_PACKET bypass via eBPFXDP support
5 Conclusion
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 13 / 31
![Page 25: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/25.jpg)
Introducing bypass
Stop packet handling as soon as possibleTag flow as bypassedMaintain table of bypassed flowsDiscard packet if part of a bypassed flow
Bypass methodLocal bypass: Suricata discard packet after decodingCapture bypass: capture method maintain flow table and discardpackets of bypassed flows
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 14 / 31
![Page 26: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/26.jpg)
Bypassing big flow: local bypass
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 15 / 31
![Page 27: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/27.jpg)
Bypassing big flow: capture bypass
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 16 / 31
![Page 28: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/28.jpg)
Bypassing big flow: capture bypass
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 16 / 31
![Page 29: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/29.jpg)
Implementation
Suricata updateAdd callback functionCapture method register itself and provide a callbackSuricata calls callback when it wants to offload
NFQ bypass in Suricata 3.2Update capture register functionWritten callback function
Set a mark with respect to a mask on packetMark is set on packet when issuing the verdict
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 17 / 31
![Page 30: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/30.jpg)
Implementation
Suricata updateAdd callback functionCapture method register itself and provide a callbackSuricata calls callback when it wants to offload
NFQ bypass in Suricata 3.2Update capture register functionWritten callback function
Set a mark with respect to a mask on packetMark is set on packet when issuing the verdict
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 17 / 31
![Page 31: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/31.jpg)
1 IntroductionFeaturesReconstruction work
2 ProblemPacket loss impactElephant flowWork less to get more
3 BypassIntroducing bypassBypass strategy
4 Hipster technologies to the rescueeBPFAF_PACKET bypass via eBPFXDP support
5 Conclusion
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 17 / 31
![Page 32: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/32.jpg)
Stream depth bypass
Stop all treatment after bypassGo beyond what is currently doneDisable individual packet treatment once stream depth is reached
Activating stream depth bypassSet stream.bypass to yes in YAML
TLS bypassencrypt-handling: bypass
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 18 / 31
![Page 33: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/33.jpg)
Selective bypass
Ignore some trafficIgnore intensive traffic like NetflixCan be done independently of stream depthCan be done using generic or custom signatures
The bypass keywordA new bypass signature keywordTrigger bypass when signature matchExample of signature
pass h t t p any any −> any any ( content : " s u r i c a t a . i o " ; \ \h t tp_hos t ; bypass ; s id :6666; rev : 1 ; )
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 19 / 31
![Page 34: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/34.jpg)
Selective bypass
Ignore some trafficIgnore intensive traffic like NetflixCan be done independently of stream depthCan be done using generic or custom signatures
The bypass keywordA new bypass signature keywordTrigger bypass when signature matchExample of signature
pass h t t p any any −> any any ( content : " s u r i c a t a . i o " ; \ \h t tp_hos t ; bypass ; s id :6666; rev : 1 ; )
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 19 / 31
![Page 35: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/35.jpg)
1 IntroductionFeaturesReconstruction work
2 ProblemPacket loss impactElephant flowWork less to get more
3 BypassIntroducing bypassBypass strategy
4 Hipster technologies to the rescueeBPFAF_PACKET bypass via eBPFXDP support
5 Conclusion
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 19 / 31
![Page 36: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/36.jpg)
1 IntroductionFeaturesReconstruction work
2 ProblemPacket loss impactElephant flowWork less to get more
3 BypassIntroducing bypassBypass strategy
4 Hipster technologies to the rescueeBPFAF_PACKET bypass via eBPFXDP support
5 Conclusion
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 19 / 31
![Page 37: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/37.jpg)
Extended Berkeley Packet Filter
Berkeley Packet FilterVirtual machine inside kernelArithmetic operations and tests on the packet dataFilters are injected by userspace in kernel via syscall
Extended BPFExtended virtual machine: more operators, data and functionaccessVarious attachment points
SocketSyscallTraffic control
Kernel and userspace shared structuresHash tablesArrays
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 20 / 31
![Page 38: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/38.jpg)
LLVM backend
From C file to eBPF codeWrite C codeUse eBPF LLVM backend (since LLVM 3.7)Use libbpf
Get ELF fileExtract and load section in kernel
BCC: BPF Compiler collectionInject eBPF into kernel from high level scripting languageTrace syscalls and kernel functionshttps://github.com/iovisor/bcc
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 21 / 31
![Page 39: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/39.jpg)
1 IntroductionFeaturesReconstruction work
2 ProblemPacket loss impactElephant flowWork less to get more
3 BypassIntroducing bypassBypass strategy
4 Hipster technologies to the rescueeBPFAF_PACKET bypass via eBPFXDP support
5 Conclusion
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 21 / 31
![Page 40: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/40.jpg)
And now AF_PACKET
What’s neededSuricata to tell kernel to ignore flowsKernel system able to
Maintain a list of flow entriesDiscard packets belonging to flows in the listUpdate from userspace
eBPF filter using mapseBPF introduce mapsDifferent data structures
Hash, array, . . .Update and fetch from userspace
Looks good!
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 22 / 31
![Page 41: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/41.jpg)
And now AF_PACKET
What’s neededSuricata to tell kernel to ignore flowsKernel system able to
Maintain a list of flow entriesDiscard packets belonging to flows in the listUpdate from userspace
eBPF filter using mapseBPF introduce mapsDifferent data structures
Hash, array, . . .Update and fetch from userspace
Looks good!
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 22 / 31
![Page 42: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/42.jpg)
Test methodology
Test setupIntel(R) Xeon(R) CPU E5-2680 0 @ 2.70GHzIntel Corporation 82599ES 10-Gigabit SFI/SFP+Live traffic:
Around 1Gbps to 2GbpsReal users so not reproducible
TestsOne hour long runDifferent stream depth valuesCollected Suricata statistics counters (JSON export)Graphs done via Timelion(https://www.elastic.co/blog/timelion-timeline)
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 23 / 31
![Page 43: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/43.jpg)
Results: stream bypass at 512kb
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 24 / 31
![Page 44: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/44.jpg)
A few words on graphics
Tests at 512kbWe have on big flow thatkill the bandwidthCapture get almost nullEven number of closedbypassed flows is low
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 25 / 31
![Page 45: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/45.jpg)
Results
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 26 / 31
![Page 46: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/46.jpg)
1 IntroductionFeaturesReconstruction work
2 ProblemPacket loss impactElephant flowWork less to get more
3 BypassIntroducing bypassBypass strategy
4 Hipster technologies to the rescueeBPFAF_PACKET bypass via eBPFXDP support
5 Conclusion
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 26 / 31
![Page 47: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/47.jpg)
A Linux kernel feature
Run a eBPF code the earliest possiblein the driverin the cardbefore the regular kernel path
Act on dataDrop packet (eXtreme Drop Performance)Transmit to kernelRewrite and transmit packet to kernelRedirect to another interfaceCPU load balance
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 27 / 31
![Page 48: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/48.jpg)
Implementation
Similar to eBPF filterSame logic for bypassOnly verdict logic is different
But annoying differenceeBPF code does the parsingNeed to bind to an interface
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 28 / 31
![Page 49: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/49.jpg)
Results
TODO: Ask OISF marketing for some fake numbers to show
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 29 / 31
![Page 50: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/50.jpg)
1 IntroductionFeaturesReconstruction work
2 ProblemPacket loss impactElephant flowWork less to get more
3 BypassIntroducing bypassBypass strategy
4 Hipster technologies to the rescueeBPFAF_PACKET bypass via eBPFXDP support
5 Conclusion
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 29 / 31
![Page 51: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/51.jpg)
Conclusion
Suricata, eBPF and XDPA fresh but interesting methodNetwork card bypass for Netronome comingAF_XDP capture is now in Linux vanilla
More informationStamus Networks: https://www.stamus-networks.com/Septun II: https://github.com/pevma/SEPTun-Mark-II/Suricata doc: http://suricata.readthedocs.io/en/latest/capture-hardware/ebpf-xdp.html
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 30 / 31
![Page 52: Suricata Performance with a S like Security · Filters are injected by userspace in kernel via syscall Extended BPF Extended virtual machine: more operators, data and function](https://reader033.vdocuments.mx/reader033/viewer/2022042219/5ec585a8e39a4356274d928c/html5/thumbnails/52.jpg)
Questions ?
Thanks toJesper Dangaard BrouerAlexei StorovoitovDaniel Borkmann
Contact [email protected]: @regiteric
Want more fun ?Come to Suricata and SELKSworkshop !Suricon:https://suricon.net/
É. Leblond (Stamus Networks) Suricata Performance with a S like Security July. 03, 2018 31 / 31