Hello everyone, and thank you in advance for your help.
I am working on dropping traffic by using Suricata in conjunction with XDP. With the Suricata configuration detailed below, I have it operating in IPS mode. I have successfully loaded XDP onto the interfaces.
I could drop TCP traffic successfully but I could not drop UDP traffic with XDP. How do I block UDP traffic with XDP?
I start Suricata using the command suricata -c /etc/suricata/suricata.yaml --af-packet -v , and from the output, I can confirm it’s running in IPS mode and that xdp_filter.bpf is successfully loaded to the LAN (enp3s0 ) and WAN (enp2s0 ) interfaces.
root@Suricata:~# suricata -c /etc/suricata/suricata.yaml --af-packet -v
Info: conf-yaml-loader: Configuration node 'stream' redefined.
Notice: suricata: This is Suricata version 7.0.4 RELEASE running in SYSTEM mode
Info: cpu: CPUs/cores online: 4
Info: af-packet: Setting IPS mode
Info: exception-policy: master exception-policy set to: auto
Info: ioctl: enp3s0: MTU 1500
Info: ioctl: enp2s0: MTU 1500
Info: conf: Running in live mode, activating unix socket
Info: logopenfile: fast output device (regular) initialized: fast.log
Info: logopenfile: eve-log output device (regular) initialized: eve.json
Info: logopenfile: stats output device (regular) initialized: stats.log
Warning: detect-classtype: signature sid:51000000 uses unknown classtype: "social-media", using default priority 3. This message won't be shown again for this classtype
Info: detect: 2 rule files processed. 61 rules successfully loaded, 0 rules failed, 0
Info: threshold-config: Threshold config parsed: 0 rule(s) found
Info: detect: 61 signatures processed. 1 are IP-only rules, 0 are inspecting packet payload, 60 inspect application layer, 0 are decoder event only
Info: af-packet: enp3s0: AF_PACKET IPS mode activated enp3s0->enp2s0
Info: ebpf: Successfully loaded eBPF file '/usr/libexec/suricata/ebpf/xdp_filter.bpf' on 'enp3s0'
Info: runmodes: enp3s0: creating 4 threads
Info: af-packet: enp2s0: AF_PACKET IPS mode activated enp2s0->enp3s0
Info: ebpf: Successfully loaded eBPF file '/usr/libexec/suricata/ebpf/xdp_filter.bpf' on 'enp2s0'
Here are the changes I made in the suricata.yaml file:
stream:
bypass: true
af-packet:
- interface: enp3s0
threads: 4
cluster-id: 97
cluster-type: cluster_qm
defrag: no
use-mmap: yes
ring-size: 200000
bypass: yes
xdp-mode: driver
xdp-filter-file: /usr/libexec/suricata/ebpf/xdp_filter.bpf
copy-mode: ips
copy-iface: enp2s0
- interface: enp2s0
threads: 4
cluster-id: 96
cluster-type: cluster_qm
defrag: no
use-mmap: yes
ring-size: 200000
bypass: yes
xdp-mode: driver
xdp-filter-file: /usr/libexec/suricata/ebpf/xdp_filter.bpf
copy-mode: ips
copy-iface: enp3s0
In the /var/log/suricata/fast.log file, I can see that the test traffic for TCP Facebook is being dropped.
Also, test traffic for UDP DNS traffic also dropped in logs. Despite the drop log for UDP, the Client’s UDP traffic passed successfully.
XDP blocks TCP traffic with reject. UDP is connectionless. How do I block UDP traffic with XDP?
04/17/2024-10:29:26.492483 [Drop] [**] [1:51000005:1] OPN_Social_Media - Facebook - Related TLS SNI (facebook.com) [**] [Classification: Unknown Classtype] [Priority: 3] {TCP} 192.168.254.2:55970 -> 157.240.203.35:443
04/17/2024-10:29:26.494595 [Drop] [**] [1:51000005:1] OPN_Social_Media - Facebook - Related TLS SNI (facebook.com) [**] [Classification: Unknown Classtype] [Priority: 3] {TCP} 192.168.254.2:55971 -> 157.240.203.35:443
04/17/2024-10:29:26.494619 [Drop] [**] [1:51000005:1] OPN_Social_Media - Facebook - Related TLS SNI (facebook.com) [**] [Classification: Unknown Classtype] [Priority: 3] {TCP} 10.10.12.254:55971 -> 157.240.203.35:443
04/17/2024-10:31:10.370046 [Drop] [**] [1:1000001:0] Blocking DNS Queries [**] [Classification: (null)] [Priority: 3] {UDP} 10.10.12.254:14339 -> 8.8.8.8:53
04/17/2024-10:31:10.369931 [Drop] [**] [1:1000001:0] Blocking DNS Queries [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.254.2:14339 -> 8.8.8.8:53
04/17/2024-10:31:10.370087 [Drop] [**] [1:1000001:0] Blocking DNS Queries [**] [Classification: (null)] [Priority: 3] {UDP} 10.10.12.254:38253 -> 8.8.8.8:53
04/17/2024-10:31:10.369963 [Drop] [**] [1:1000001:0] Blocking DNS Queries [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.254.2:38253 -> 8.8.8.8:53
04/17/2024-10:39:43.112004 [Drop] [**] [1:1000001:0] Blocking DNS Queries [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.254.2:60213 -> 8.8.8.8:53