Using Suricata in ips mode with AF_XDP

Hi, I’m new to Suricata and I want to run Suricata in ips (inline) mode on my network where its throughput is maximized.

It seems Suricata with AF_PACKET (raw socket in kernel) works, but I’m not sure whether Suricata with XDP is available or not. I’ve tried to search for it’s feasibility, but cannot figure it out.

In other words, I want to know whether the following process is possible or not; at the earliest hooking point in kernel (i.e., AF_XDP), by eBPF program packet is hooked and redirected to Suricata in user space for DPI (layer 7 packet filtering) with bypassing networking stacks.

Thanks in advance.

Since Suricata 7 provides AF_XDP I would argue it might be worth a try to see if it can work. But so far I have not seen anyone using it (which does not mean it’s not possible).

1 Like

Thank you for reply. That’s great news!
I’ll give it a try and keep you updated if anything comes up.

Hey,

It won’t answer your question, but what I kind of gathered from above is you are looking to run your firewall in IPS mode with little to no loss in throughput on your line speed. If I am correct in assuming that, I actually achieved that with a computer built for under $500 on my home network which has 5Gbps/5Gbps using AF-Packet. You need a X710 or X520 from my testing (I have both here, used x520 for this and x710 for my server) and need to follow SEPTun/SEPTun.rst at master · pevma/SEPTun · GitHub this to set it up right. I have 5 sources enabled, and running full 5/5 Gbps on my home network with a transparent inline firewall with IPS turned on and all alerts set to drop.

I’d be happy to answer questions, I had a post here Linux bridge and af-packet wont drop on rule - #8 by Jacob_Steele where I documented most of my linux settings and OS (along with my journey through Ubuntu Server, FreeBSD and finally CachyOS Linux)

1 Like

This is awesome! Thank you a lot.
I will check your post and try your setup.
BTW, have you tried it on 10Gbps NICs too, or do you think it’s possible to achieve the line speed using AF-PACKET?

In the document I referred to, they managed to get 20 Gbps throughput on IDS, not sure about IPS. I am using 10Gbps NICs the X520 from Intel and the X710 from intel, however my WAN is only 5Gbps up and down so I am unable to test it to 10 Gbps. I use it as a inline firewall proxy between my router and WAN ONT, it blocks, detects and forwards all information between my internal and external network.

Also I did this with some backup homelab parts I had sitting around and not something built for the cause. I wanted to make sure I could do it for not much investment, and considering you could do this with an old AMD Processor, a Intel 520 NIC and 16GB of DDR4 ram and a small nvme I proved it could be done for under $500 all in which was my goal.