Hello,
I am running Suricata in IDS mode, connected to my network using passive optical TAP. Passive optical TAP are very handy solution, which is very reliable, do to being completely passive.
To run Suricata in IPS mode, you need to send to Suricata both incoming and outgoing packets from given monitored link (i.e. both sides of the traffic). You have two options:
-
use switch and functionality of “port monitoring”. To get both sides of the traffic, you typically need to copy traffic from at least two ports, (the ones where your link is coming in to the switch and out from the switch), to the “monitoring port”, where you will connect Suricata. Suricata than see all packets as unidirectional - i.e. incoming on its NIC. This is in many cases not optimal solution. Just imagine, that you have 10Gbit/s link over you switch, which you would like to monitor and Suricata is also connected by 10Gbit/s port. As both directions of traffic on your link will be copied as outgoing traffic to monitoring port, you can’t exceed 10Gbit/s traffic in SUM on your link, otherwise you will saturate monitoring port! Also if you switch will die or miss-function your link will go down.
-
second way how to get traffic sniffed and copied to Suricata is easier and more reliable - using optical passive TAPs, where simple light going in fiber optics cable is split between your link and another monitored link. It is typically using duplex fibre optics links, and therefore from one monitored link you will get two outputs. One having copied downstream data and one with upstream data. Therefore you are not limited in capacity as in case as above upstream data up to full 10Gbit/s capacity are copied to one 10Gbit/s interface and downstream data again in full capacity is copied to second independent 10Gbit/s port.
The issue is, that there is no documentation about using passive TAPs with Suricata at all. As mentioned Suricata need to see both sides of the traffic to reconstructs properly flows.
-
In first case, both sides are present on the same Suricata interface.
-
In the second case each side of the traffic is present on independent Suricata interface
Is this a problem? How two interfaces shall be configured in Suricata?
I really think, that such setup shall be possible, as it is for example possible to Suricata setup in IPS mode, where it natively sees both directions of the traffic incoming on two different interfaces. Even more as with passive TAPs you only use receiving fibre (IN) on Suricata NIC SFP, and transmit fibre (OUT) is even not connected, you can even set packet copy mode on the both NICs as in IPS mode. But copying packets will be only wasting resources as these wont be transmitted anywhere.
Therefore I really hope, that Suricata can work natively with passive TAPs, only such functionality is not documented. I am seeing this as opportunity to improve on this.
I would be very thankful, if someone with Suricata code knowledge could step in and enlighten us, how we can use Suricata in TAP mode.
Best regards
L.
Unfortunately there is no explanation in Suricata documentation, how to handle