Asymmetric Traffic

Amitp · August 10, 2022, 11:39am

Hi,

I have traffic flow which is feed to Suricata.

Below is the traffic detail which is feed to Suricata in IPS mode via TAP interfaces,

In one direction, traffic is VxLAN encapsulated
In another direction, traffic is without VxLAN encapsulation

Will this cause issue for Suricata to detect/block traffic ?

Thanks

IDSTower · August 10, 2022, 2:43pm

For Suricata to work in IPS mode, it has to be installed inline (not via tap) otherwise it will drop a copy of the packet and not the actual one.

Other things that comes to mind from the VLAN situation:

make sure use-for-tracking is set to false in suricata.yaml.
if you are using rss to distribute traffic to multiple queues in your NIC, make sure vlan header is ignored, or use a single queue.

Amitp · August 10, 2022, 3:47pm

Suricata will be running on AF-PACKET TAP interfaces (in and out) and physical interfaces will be connected to tap interfaces via bridge in IPS mode.

IDSTower · August 10, 2022, 3:55pm

Oh, pardon me for misreading the question, however I think the two other points might be still valid.

Andreas_Herz · August 29, 2022, 3:19pm

So you’re talking about TAP interfaces and IPS mode with a bridge. Can you draw the setup and be more precise on what part Suricata would be running?
Depending on the details it could be an issue or not.

Topic		Replies	Views
Query on IPS Mode Help	1	421	September 19, 2022
Suricata generating VXLAN + ICMP traffic Help	3	499	April 28, 2021
Asymmetric Traffic within Suricata Help	3	3351	February 4, 2021
Architecture help Help ips , community , centos	2	1251	November 29, 2020
App layer not detecting flows Help	3	462	August 20, 2022

Asymmetric Traffic

Related topics