Suricata as IPS in AWS with GWLB

,

Dear community & suricata-Team,

i’m trying to implement a setup with Suricata (v6.0.1-3 @ debian) in IPS-mode in AWS (instance with a single interface)

I’ve read multiple recommended scenario docs from AWS and as it looks like the “state of the art” how somebody should integrate an IDS-solution into a AWS-environment is by using the "Gateway Loadbalancer (GWLB) & it’s endpoints.

In short: GWLB sits between NAT/INTERNET-GW, encapsulates the traffic using GENEVE and forwards it to Suricata, suricata decapsulates & scans it, and if all ok, “puts the packet pack on to wire”. The packet is then sent back to GWLB which then goes to the internet.

( Documentation i consulted was:

  1. Getting started with Gateway Load Balancers - Elastic Load Balancing
  2. Building an Open Source IDS IPS service for Gateway Load Balancer | Networking & Content Delivery
  3. Introducing AWS Gateway Load Balancer: Supported architecture patterns | Networking & Content Delivery
    … and many more, but these here are the major one)

The setup in it’s very end looks like this here:

My main question at the moment is -
How does the GENEVE decoder / suricata with GENEVE decoder work? Namely - will suricata send the Geneve-re-encapsulated Traffic back to the “originator”(here - the gateway-loadbanancer) or do I have to take care about it?

My expectation was initialy that suricata IS doing that (sending backtraffic to the origination, namely GWLB) on it’s OWN, without any PREROUTING/POSTROUTING iptables rewrites.

But it does not happen, as i’ve looked up from couple of examples i found, it is something about the person setting up has to take care of.

Am i mistaking or is it really the case?

I know, the topic is not trivial and common, but am thankful for any hints.

Best

AWS network firewall has Suricata integrated and supports Suricata rules, is there is a reason why you are not using AWS network firewall and doing you own deployment?

1 Like

yes, a standalone solution is

  • much less vendor agnostic, which is required in my case
  • cost only a fraction of the AWS firewall
1 Like

@sha512 do you have an answer now? does it re-encapsulate and send it back to GLB?

As revealed by GitHub - aws-samples/aws-gateway-load-balancer-suricata-ids-ips-nsm , particularly /Dockerfiles/suricata/etc/suricata/suricata.yaml , GENEVE is decoded by suricata itself.