Feature request, requires Suricata support for innet 5 tuple mode

shell_xu · April 11, 2023, 9:21am

In my production environment, traffic mirroring is done by encapsulating data packets in VXLAN format and sending them out. Unfortunately, due to some reasons, the agent collecting traffic mirroring always sends data with the same source port, which prevents me from using the cluster_per_flow configuration. Since their 5-tuple is always the same, Suricata’s multithreading cannot achieve load balancing. After running tcpdump, you will see data similar to this:

192.168.199.32.59293 > 192.168.1.200.4789
192.168.199.32.59293 > 192.168.1.200.4789
192.168.199.32.59293 > 192.168.1.200.4789
192.168.199.32.59293 > 192.168.1.200.4789

I encountered the same problem with Zeek, but Zeek supports more PF_RING cluster_type options than Suricata. I used the inner_flow_5_tuple mode to solve this problem.

Currently, Suricata does not seem to support this feature, so I am making a feature request. Is it possible to support this feature?

history topic: Does Suricata support cross-packet reassembly with PF_RING cluster_round_robin?

Jeff_Lucovsky · April 16, 2023, 1:49pm

There’s an issue for this: Feature #5975: Add support for 'inner' PF_RING clustering modes - Suricata - Open Information Security Foundation

There’s a PR (in review) for the issue.

If you don’t want to wait for the PR process to complete, check out the branch and try a manual build.

shell_xu · April 25, 2023, 5:56am

Thx bro. I’d love to try this PR and verify that the problem is improved! I will give feedback later

Topic		Replies	Views
Suricata PF_RING in IPS mode Help	3	795	August 7, 2020
Can Suricata reassemble a flow from different network interfaces? Help	5	1322	June 26, 2020
Suricata ignoring vxlan traffic Help	5	811	August 13, 2021
Asymmetric Traffic Help	4	355	August 29, 2022
Offload and Acceleration ideas Developers	6	2998	July 17, 2021

Feature request, requires Suricata support for innet 5 tuple mode

Related Topics