Dear community & suricata-Team,
i’m trying to implement a setup with Suricata (v6.0.1-3 @ debian) in IPS-mode in AWS (instance with a single interface)
I’ve read multiple recommended scenario docs from AWS and as it looks like the “state of the art” how somebody should integrate an IDS-solution into a AWS-environment is by using the "Gateway Loadbalancer (GWLB) & it’s endpoints.
In short: GWLB sits between NAT/INTERNET-GW, encapsulates the traffic using GENEVE and forwards it to Suricata, suricata decapsulates & scans it, and if all ok, “puts the packet pack on to wire”. The packet is then sent back to GWLB which then goes to the internet.
( Documentation i consulted was:
- Getting started with Gateway Load Balancers - Elastic Load Balancing
- Building an Open Source IDS IPS service for Gateway Load Balancer | Networking & Content Delivery
-
Introducing AWS Gateway Load Balancer: Supported architecture patterns | Networking & Content Delivery
… and many more, but these here are the major one)
The setup in it’s very end looks like this here:
My main question at the moment is -
How does the GENEVE decoder / suricata with GENEVE decoder work? Namely - will suricata send the Geneve-re-encapsulated Traffic back to the “originator”(here - the gateway-loadbanancer) or do I have to take care about it?
My expectation was initialy that suricata IS doing that (sending backtraffic to the origination, namely GWLB) on it’s OWN, without any PREROUTING/POSTROUTING iptables rewrites.
But it does not happen, as i’ve looked up from couple of examples i found, it is something about the person setting up has to take care of.
Am i mistaking or is it really the case?
I know, the topic is not trivial and common, but am thankful for any hints.
Best