Since cpu hikes even if suricata.rules is not present, I think I can use rules based filtering.
What can I use so that suricata does not process the forwarding traffic at all?
EDIT: To be clear that means, suricata should not process traffic at all if it is not destined to or orignating from VM on which suricata is installed, whether suricata.rules file is present or not. How can I achieve it?
The BPF mechanism applies to the L2 traffic so we’d need to know more about your setup.
First, the Suricata version you’re using in unsupported; we recommend using the latest version Suricata 7.0.7 which is supported and receives security and other important updates.
You’re using Suricata in inline or IPS mode; knowing how you’re using Suricata means what packet capture interfaces are in use to capture and transmit packets. If you’re using af-packet, the BPF mechanism should give you the filtering behavior you’re seeking.
We are using Suricata in IDS mode (I do not know what inline means). Would af-packet be available in IDS mode? Based on couple of answers I found, probably not. In that case, what options would we have?
I have to bring this post to life once again. In one variation of setup, both suricata VM nic1 & suricata VM nic2 in the setup below are in masquerade mode (based on command result of firewall-cmd --list-all-zone). In this case bpf filter does not work. Is there a way I can still exclude FORWARD traffic using bpf filter or something else?
We are running suricata as service and it’s command as returned by “ps -ef | grep suricata” is:
/sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --af-packet=eth0 --af-packet=nic3 --user suricata src host 50.50.50.117 or dst host 50.50.50.117 or src host 60.60.60.4 or dst host 60.60.60.4
where “50.50.50.117” is ip of eth0 and “60.60.60.4” is ip of nic3.
I have attached suricata.yaml suricata.yaml (74.8 KB)
The issue is both eth0 and nic3 are masqueraded. So when I send ping from 60.60.60.150 to 50.50.50.111, and turn pcap-log on in suricata.yaml, I see icmp packets. Which makes me believe masquerading is letting packets that are supposed to be filtered passed on to suricata.
You’re using Suricata in IDS mode (meaning that Suricata will not transmit packets between interfaces) and it will receive packets from the NICs configured on the command line nic3 and eth0.
You’re wanting to ignore traffic directed to each NIC and the BPF filter doesn’t seem to be working.
Let’s take Suricata out of the picture and try the same setup.
Can you initiate the ping and use tcpdump -i nic3 (and later, do the same with eth0) to ensure the traffic is proper. tcpdump supports the same BPF filter syntax that you’re using with suricata
