Dropping UDP Traffic Using Suricata with XDP

Michael_Reese · April 18, 2024, 8:58am

Hello everyone, and thank you in advance for your help.

I am working on dropping traffic by using Suricata in conjunction with XDP. With the Suricata configuration detailed below, I have it operating in IPS mode. I have successfully loaded XDP onto the interfaces.

I could drop TCP traffic successfully but I could not drop UDP traffic with XDP. How do I block UDP traffic with XDP?

I start Suricata using the command suricata -c /etc/suricata/suricata.yaml --af-packet -v , and from the output, I can confirm it’s running in IPS mode and that xdp_filter.bpf is successfully loaded to the LAN (enp3s0 ) and WAN (enp2s0 ) interfaces.

root@Suricata:~# suricata -c /etc/suricata/suricata.yaml --af-packet -v
Info: conf-yaml-loader: Configuration node 'stream' redefined.
Notice: suricata: This is Suricata version 7.0.4 RELEASE running in SYSTEM mode
Info: cpu: CPUs/cores online: 4
Info: af-packet: Setting IPS mode
Info: exception-policy: master exception-policy set to: auto
Info: ioctl: enp3s0: MTU 1500
Info: ioctl: enp2s0: MTU 1500
Info: conf: Running in live mode, activating unix socket
Info: logopenfile: fast output device (regular) initialized: fast.log
Info: logopenfile: eve-log output device (regular) initialized: eve.json
Info: logopenfile: stats output device (regular) initialized: stats.log
Warning: detect-classtype: signature sid:51000000 uses unknown classtype: "social-media", using default priority 3. This message won't be shown again for this classtype
Info: detect: 2 rule files processed. 61 rules successfully loaded, 0 rules failed, 0
Info: threshold-config: Threshold config parsed: 0 rule(s) found
Info: detect: 61 signatures processed. 1 are IP-only rules, 0 are inspecting packet payload, 60 inspect application layer, 0 are decoder event only
Info: af-packet: enp3s0: AF_PACKET IPS mode activated enp3s0->enp2s0
Info: ebpf: Successfully loaded eBPF file '/usr/libexec/suricata/ebpf/xdp_filter.bpf' on 'enp3s0'
Info: runmodes: enp3s0: creating 4 threads
Info: af-packet: enp2s0: AF_PACKET IPS mode activated enp2s0->enp3s0
Info: ebpf: Successfully loaded eBPF file '/usr/libexec/suricata/ebpf/xdp_filter.bpf' on 'enp2s0'

Here are the changes I made in the suricata.yaml file:

stream:
  bypass: true
af-packet:
  - interface: enp3s0
    threads: 4
    cluster-id: 97
    cluster-type: cluster_qm
    defrag: no
    use-mmap: yes
    ring-size: 200000
    bypass: yes
    xdp-mode: driver
    xdp-filter-file: /usr/libexec/suricata/ebpf/xdp_filter.bpf
    copy-mode: ips
    copy-iface: enp2s0
  - interface: enp2s0
    threads: 4
    cluster-id: 96
    cluster-type: cluster_qm
    defrag: no
    use-mmap: yes
    ring-size: 200000
    bypass: yes
    xdp-mode: driver
    xdp-filter-file: /usr/libexec/suricata/ebpf/xdp_filter.bpf
    copy-mode: ips
    copy-iface: enp3s0

In the /var/log/suricata/fast.log file, I can see that the test traffic for TCP Facebook is being dropped.
Also, test traffic for UDP DNS traffic also dropped in logs. Despite the drop log for UDP, the Client’s UDP traffic passed successfully.
XDP blocks TCP traffic with reject. UDP is connectionless. How do I block UDP traffic with XDP?

04/17/2024-10:29:26.492483  [Drop] [**] [1:51000005:1] OPN_Social_Media - Facebook - Related TLS SNI (facebook.com) [**] [Classification: Unknown Classtype] [Priority: 3] {TCP} 192.168.254.2:55970 -> 157.240.203.35:443
04/17/2024-10:29:26.494595  [Drop] [**] [1:51000005:1] OPN_Social_Media - Facebook - Related TLS SNI (facebook.com) [**] [Classification: Unknown Classtype] [Priority: 3] {TCP} 192.168.254.2:55971 -> 157.240.203.35:443
04/17/2024-10:29:26.494619  [Drop] [**] [1:51000005:1] OPN_Social_Media - Facebook - Related TLS SNI (facebook.com) [**] [Classification: Unknown Classtype] [Priority: 3] {TCP} 10.10.12.254:55971 -> 157.240.203.35:443
04/17/2024-10:31:10.370046  [Drop] [**] [1:1000001:0] Blocking DNS Queries [**] [Classification: (null)] [Priority: 3] {UDP} 10.10.12.254:14339 -> 8.8.8.8:53
04/17/2024-10:31:10.369931  [Drop] [**] [1:1000001:0] Blocking DNS Queries [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.254.2:14339 -> 8.8.8.8:53
04/17/2024-10:31:10.370087  [Drop] [**] [1:1000001:0] Blocking DNS Queries [**] [Classification: (null)] [Priority: 3] {UDP} 10.10.12.254:38253 -> 8.8.8.8:53
04/17/2024-10:31:10.369963  [Drop] [**] [1:1000001:0] Blocking DNS Queries [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.254.2:38253 -> 8.8.8.8:53
04/17/2024-10:39:43.112004  [Drop] [**] [1:1000001:0] Blocking DNS Queries [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.254.2:60213 -> 8.8.8.8:53

Michael_Reese · April 23, 2024, 4:03pm

Hello everyone,

If anyone has experience with Suricata XDP or a similar setup, I would greatly appreciate any advice, suggestions, or guidance you can offer. Additionally, if you require further details or specifics about my configuration, please don’t hesitate to ask.

Thank you in advance for your time and assistance. I’m looking forward to any insights this community can provide.

Andreas_Herz · April 25, 2024, 4:09pm

Can you post the signatures that you’re using with the sid 51000005 and 1000001?

Topic		Replies	Views
Bypass packets with XDP in IPS mode Help ips , xdp	1	244	October 16, 2023
Suricata in IPS mode dropping tcp traffic Help ips	16	1837	April 24, 2024
Raspberry Pi with Suricata in IPS Mode [Help] Help ips , suricata	3	1321	May 7, 2023
Suricata in IPS Mode using PCAP Help	4	1150	February 5, 2022
Asymmetric Traffic Help	4	360	August 29, 2022

Dropping UDP Traffic Using Suricata with XDP

Related Topics