jack327
June 30, 2022, 1:53am
#1
If I had a software environment that utilized DPDK to read packets directly off a NIC, and this system operated as the DPDK primary, configured the NIC, and retrieved packets, would I be able to pass packets to Suricata (version 7.0) via DPDK as well? Does Suricata support receiving packets from a ring instead of a NIC?
Additionally, Suricata is intended to run as a primary process only.
(From near the end of this: 10.1. Suricata.yaml β Suricata 7.0.0-dev documentation )
This piece of the documentation makes it sound like it wonβt work, but I just wanted to confirm.
Thanks!
vjulien
July 2, 2022, 5:26am
#2
This is in development:
OISF:master β lukashino:feat/5203-primary-app-v2
opened 09:16AM - 27 May 22 UTC
- [X] I have read the contributing guide lines at https://redmine.openinfosecfou⦠ndation.org/projects/suricata/wiki/Contributing
- [X] I have signed the Open Information Security Foundation contribution agreement at https://suricata.io/about/contribution-agreement/
- [X] I have updated the user guide (in doc/userguide/) to reflect the changes made (if applicable)
Link to [redmine ticket about Suricata secondary process support](https://redmine.openinfosecfoundation.org/issues/4910).
Link to [redmine ticket about prefilter application](https://redmine.openinfosecfoundation.org/issues/5203).
This is a follow-up of #7283 which incorporates two Redmine tickets together, one for Suricata secondary mode support and the other for adding an app that would run as a primary process. The PR extends the work of #7283 by continuing in reaching the prefilter concept. As of now, the prefilter configures the provided NICs according to the YAML configuration and then passes packets to Suricata through DPDK rings. It also uses a message system between Suricata and Prefilter for asynchronous bypass method. Suricata can also load Prefilter configuration by reading Prefilter's shared configuration stored in a memory zone. The prefilter is intended to be architecturally flexible (not depending on any hardcoded module) but as of now, for some use-cases, the prefilter uses Suricata library.
Use flags `--enable-dpdk --enable-dpdk-apps` to enable Prefilter in the configuration process.
The plan is to have a shared DPDK configuration codebase for prefilter and Suricata. As of result, prior to the compilation of the prefilter app, Suricata needs to be first compiled and installed (together with headers and library). Makefile target `dpdk-apps-prereq` should solve the issue. After the Suricata library is installed, it needs to be added to the list of shared libraries (ldconfig) or at least edit `LD_LIBRARY_PATH` variable. Makefile target `dpdk-apps` compiles the prefitler app. The final `prefilter` binary can be found in `dpdk/prefilter/build` folder.
Changelog from #7283:
- new asynchronous bypass support through message mechanism
- Suricata reading Prefilter configuration from a shared configuration memory zone
- bug fixes
Testing/feedback would be much appreciated!
1 Like