Dropping Traffic Using Suricata with XDP

Hello everyone, and thank you in advance for your help.

I am working on dropping messaging traffic by using Suricata in conjunction with XDP. With the Suricata configuration detailed below, I have it operating in IPS mode. I have successfully loaded XDP onto the interfaces, and I can see in the Suricata logs that the messaging traffic is being dropped. Despite all these successful indicators, when testing on a client device, messaging applications still function correctly even though the logs indicate they are being dropped.

Every time I refresh the page on the client device, I can see the drop logs, yet the page loads successfully. What could be causing this issue? What checks would you recommend I perform to troubleshoot? How can I resolve this situation?

I start Suricata using the command suricata -c /etc/suricata/suricata.yaml --af-packet -v, and from the output, I can confirm it’s running in IPS mode and that xdp_filter.bpf is successfully loaded to the LAN (enp3s0) and WAN (enp2s0) interfaces.

root@Surricate:/# suricata -c /etc/suricata/suricata.yaml  --af-packet -v
Info: conf-yaml-loader: Configuration node 'stream' redefined.
Notice: suricata: This is Suricata version 7.0.4 RELEASE running in SYSTEM mode
Info: cpu: CPUs/cores online: 4
Info: af-packet: Setting IPS mode
Info: exception-policy: master exception-policy set to: auto
Info: ioctl: enp3s0: MTU 1500
Info: ioctl: enp2s0: MTU 1500
Info: conf: Running in live mode, activating unix socket
Info: logopenfile: fast output device (regular) initialized: fast.log
Info: logopenfile: eve-log output device (regular) initialized: eve.json
Info: logopenfile: stats output device (regular) initialized: stats.log
Warning: detect-classtype: signature sid:52000000 uses unknown classtype: "messaging", using default priority 3. This message won't be shown again for this classtype
Info: detect: 9 rule files processed. 37178 rules successfully loaded, 0 rules failed, 0
Info: threshold-config: Threshold config parsed: 0 rule(s) found
Info: detect: 37181 signatures processed. 1137 are IP-only rules, 4934 are inspecting packet payload, 30898 inspect application layer, 108 are decoder event only
Info: af-packet: enp3s0: AF_PACKET IPS mode activated enp3s0->enp2s0
Info: ebpf: Successfully loaded eBPF file '/usr/libexec/suricata/ebpf/xdp_filter.bpf' on 'enp3s0'
Info: runmodes: enp3s0: creating 4 threads
Info: af-packet: enp2s0: AF_PACKET IPS mode activated enp2s0->enp3s0
Info: ebpf: Successfully loaded eBPF file '/usr/libexec/suricata/ebpf/xdp_filter.bpf' on 'enp2s0'
Info: runmodes: enp2s0: creating 4 threads
Info: unix-manager: unix socket '/var/run/suricata/suricata-command.socket'
Notice: threads: Threads created -> W: 8 FM: 1 FR: 1   Engine started.

Here are the changes I made in the suricata.yaml file:

stream:
  bypass: true

af-packet:
  - interface: enp3s0
    threads: 4
    cluster-id: 99
    cluster-type: cluster_qm  
    defrag: no  
    use-mmap: yes
    ring-size: 200000
    bypass: yes
    xdp-mode: driver
    xdp-filter-file: /usr/libexec/suricata/ebpf/xdp_filter.bpf
    copy-mode: ips
    copy-iface: enp2s0
  - interface: enp2s0
    threads: 4
    cluster-id: 98
    cluster-type: cluster_qm  
    defrag: no  
    use-mmap: yes
    ring-size: 200000
    bypass: yes
    xdp-mode: driver
    xdp-filter-file: /usr/libexec/suricata/ebpf/xdp_filter.bpf
    copy-mode: ips
    copy-iface: enp3s0

default-rule-path: /var/lib/suricata/rules

rule-files:
  - suricata.rules
  - opnsense.file_transfer.rules
  - opnsense.mail.rules
  - opnsense.malware_ja3.rules
  - opnsense.media_streaming.rules
  - opnsense.messaging.rules
  - opnsense.social_media.rules
  - opnsense.test.rules
  - opnsense.uncategorized.rules

I fetched the .rules files from the OpnSense repository at https://github.com/opnsense/rules/tree/master/src. The rules were initially set to alert, which I have edited to drop.

In the /var/log/suricata/fast.log file, I can see that the test traffic for WhatsApp is being dropped, yet WhatsApp continues to work flawlessly on the client device.

03/30/2024-18:36:55.963799  [Drop] [**] [1:52000065:1] OPN_Messaging - WhatsApp - Related TLS SNI (whatsapp.com) [**] [Classification: Unknown Classtype] [Priority: 3] {TCP} 192.168.254.10:52264 -> 185.60.218.53:443
03/30/2024-18:36:55.963895  [Drop] [**] [1:52000065:1] OPN_Messaging - WhatsApp - Related TLS SNI (whatsapp.com) [**] [Classification: Unknown Classtype] [Priority: 3] {TCP} 10.10.12.254:52264 -> 185.60.218.53:443
03/30/2024-18:37:00.713574  [Drop] [**] [1:52000065:1] OPN_Messaging - WhatsApp - Related TLS SNI (whatsapp.com) [**] [Classification: Unknown Classtype] [Priority: 3] {TCP} 192.168.254.10:52265 -> 185.60.218.53:443
03/30/2024-18:37:00.713613  [Drop] [**] [1:52000065:1] OPN_Messaging - WhatsApp - Related TLS SNI (whatsapp.com) [**] [Classification: Unknown Classtype] [Priority: 3] {TCP} 10.10.12.254:52265 -> 185.60.218.53:443
03/30/2024-18:37:11.077536  [Drop] [**] [1:52000065:1] OPN_Messaging - WhatsApp - Related TLS SNI (whatsapp.com) [**] [Classification: Unknown Classtype] [Priority: 3] {TCP} 192.168.254.10:52267 -> 185.60.218.53:443
03/30/2024-18:37:11.077565  [Drop] [**] [1:52000065:1] OPN_Messaging - WhatsApp - Related TLS SNI (whatsapp.com) [**] [Classification: Unknown Classtype] [Priority: 3] {TCP} 10.10.12.254:52267 -> 185.60.218.53:443

Any insights or suggestions on what might be going wrong and how to resolve this issue would be greatly appreciated.