Talk: "Suricata IDPS and its interaction with Linux kernel" (Eric Leblond & Giuseppe Longo)


Suricata is an open source network intrusion detection and prevention system. It analyzes the traffic content against a set of signatures to discover known attacks and also journalize protocol information.

One specificity of IDS systems is that they need to analyze the traffic as it is seen by the target. For example, the TCP streaming reconstruction has to be done the same way it is done on the target operating systems and for this reason it can't rely on its host operating system to do it.

Suricata interacts in a number of ways with the underlying operating system to capture network traffic. Under Linux it supports a wide range of capture methods ranging from AF_PACKET to NFQUEUE or NFLOG.

The purpose of this talk is to describe how some different performance challenges and interactions have been addressed with the Linux kernel and to show which works are in progress to increase performance. We will also explain in detail which are the current limitation, and some ideas that looked good at first, but wrong at the end. Finally, we will cover some possible evolutions like the offloading of some known good traffic.