The previous item I sent stated that Microsoft is concerned with their outbound URLs be affected. It seems to me that most rules are set from External to Home on the rule variables. So would outbound really be a concern?
I found this link interesting though I have seen Microsoft pushing Suricata. Maybe you all have seen this link before.
From:
Matt Clairmont via Suricata suricata@discoursemail.com
To:
But again, if the bpf has those subnets in it why would IPS block all traffic.
See my other reference. Microsoft is concerned about their O365 URLs outbound. It does not state anything about inbound in regards to IDS/IPS. Besides it is regards to tcp80 and tcp443 traffic by them stating outbound URLs.
From:
Matt Clairmont via Suricata suricata@discoursemail.com
To:
Does version 5 support kernal bypass support? Or is that only in version 6?
Is is still not clear clear to me if BPF in af_packet IPS mode will blcok all traffic or just what is in the BPF filter?
From:
Victor Julien via Suricata suricata@discoursemail.com
To:
AF_PACKET in IPS mode will forward all packets the capture interface reads. So anything it doesn’t read due to a BPF is not forwarded. So if you have a filter like not host 1.2.3.4 then traffic for IP 1.2.3.4 will not be forwarded. If you have a filter host 1.2.3.4 then only traffic for 1.2.3.4 will be forwarded. So in IPS mode, BPF is almost certainly not what you are looking for.
Ok. Now I understand.
So was is suggested to ignore process packets from those Microsoft IP subnets?
From:
Victor Julien via Suricata suricata@discoursemail.com
To:
I would say that the XDP option is exactly what you are looking for as long as your kernel is recent and your NIC / driver support it That will lighten the load on your IPS and not block the traffic. From the manual - “XDP bypass is compatible with AF_PACKET IPS mode. Packets from bypassed flows will be send directly from one card to the second card without going by the kernel network stack.”
This is something I am looking at when the same traffic passes multiple taps. No need to analyze the same traffic twice and waste precious processing time.
Is XDP supported in Suricata version 5?
The loaded kernel is GNU/Linux 4.15.0-96-generic x86_64.
The NIC interfaces in the hardware appliances we use are:
Intel I210 Gigabit with driver=igb driverversion=5.4.0-k firmware=3.11
Intel I350 Gigabit with driver=igb driverversion=5.4.0-k firmware=1.59
How can I find if all of this supportted for XDP?
From:
Sean via Suricata suricata@discoursemail.com
To:
Supported in Suricata 5.
D/L The Intel NIC driver and check the README file. IIRC it provides details of capabilities.
4.15 kernel or newer required.
Once you install the latest NIC drivers, recompile Suricata following the instructions in the docs for the other prerequisites and configure options.
Well I certainly have a new enough kernel. I am working on seeing if I have the latest driver for those NICs.
I just want to make sure that XDP won’t block all the traffic because that defeats the purpose of af_packet IPS. I just need XDP to work on that particular Microsoft traffic for Teams.
From:
Sean via Suricata suricata@discoursemail.com
To:
If we properly implement XDP, it is guaranteed to only stop analyzing traffic we tell it to not touch and still pass all other traffic through af-packet IPS mode?