suricata
suricata copied to clipboard
OISF
Suricata XDP Syncookie for IDS AF_PACKET
Make sure these boxes are signed before submitting your Pull Request -- thank you.
- [x] I have read the contributing guide lines at https://docs.suricata.io/en/latest/devguide/contributing/contribution-process.html
- [x] I have signed the Open Information Security Foundation contribution agreement at https://suricata.io/about/contribution-agreement/ (note: this is only required once)
- [x] I have updated the user guide (in doc/userguide/) to reflect the changes made (if applicable)
Describe changes:
- Add XDP Syncookie feature to prevent host from SYN flooding attack in AF_PACKET IDS
Provide values to any of the below to override the defaults.
To use a pull request use a branch name like pr/N where N is the
pull request number.
Alternatively, SV_BRANCH may also be a link to an
OISF/suricata-verify pull-request.
SV_REPO=
SV_BRANCH=
SU_REPO=
SU_BRANCH=
LIBHTP_REPO=
LIBHTP_BRANCH=
Codecov Report
Attention: Patch coverage is 0% with 8 lines in your changes missing coverage. Please review.
Project coverage is 82.65%. Comparing base (
bf5cfd6) to head (9a6b31c). Report is 706 commits behind head on master.
Additional details and impacted files
@@ Coverage Diff @@
## master #10694 +/- ##
==========================================
- Coverage 82.72% 82.65% -0.07%
==========================================
Files 926 926
Lines 247633 247641 +8
==========================================
- Hits 204865 204700 -165
- Misses 42768 42941 +173
| Flag | Coverage Δ | |
|---|---|---|
| fuzzcorpus | 63.97% <0.00%> (-0.25%) |
:arrow_down: |
| suricata-verify | 61.97% <0.00%> (-0.01%) |
:arrow_down: |
| unittests | 62.18% <0.00%> (-0.01%) |
:arrow_down: |
Flags with carried forward coverage won't be shown. Click here to find out more.
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}
@victorjulien this is new XDP Syncookie PR that addressed your comments, I added the last commit to address builds / Debian 11 (xdp) (pull_request) failure because I suspect Debian 11 has old libbpf before 0.8, we could also skip Debian 11 (xdp) test if you don't want the last commit, let me know what you prefer
Is https://redmine.openinfosecfoundation.org/issues/6277 the ticket for this ?
I'm not sure that we can. Looks like you need iptables and from past experience since we only have the half trex setup I'm not sure that will work properly as a true 'mitm' (suri in the middle) setup, similar to IPS and iperf tests.
We were discussing this in the team, and we're wondering if this belongs in Suricata at all? It seems these programs can be loaded from outside Suricata as well? If so, then we'd prefer it to stay outside it, and perhaps just have a guide for how to use it.
Hi Vincent, I'd like to try out your PR, unfortunately, machines that are available to me seem to be on older kernel versions and I'll likely not be able to upgrade them. Do you know why your work requires Kernel 6.2 and would I be able to run it albeit with some custom dependencies?
We were discussing this in the team, and we're wondering if this belongs in Suricata at all? It seems these programs can be loaded from outside Suricata as well? If so, then we'd prefer it to stay outside it, and perhaps just have a guide for how to use it.
Hello with regard to the above - Due to suricata not using libxdp and the related load semantics and dispatcher program it is not possible to load additional programs onto an interface without first unloading the suricata programs.
I think this unloading is not a problem if pinned-maps are used since suricata wont attach the programs at startup anyway if it finds existing pinned maps.
I for one think the OP's contribution here would help satisfy several typical use cases when leveraging XDP. For example the work here:
https://github.com/vincentmli/suricata/commits/suricata-6.0.9-multixdp
Enables the multiprog use case and allows configuration of more than one program to be loaded and specification of a priority value to indicate the processing order applied by the XDP dispatcher.
Besides enhancing suricata it allows suricata to then play nicely with other XDP apps that want packets dispatched to them.
A great example being XDPDUMP which is extremely helpful for diagnostics and as an xdp enabled full packet capture mechanism that can provide visibility into packets otherwise hidden from suricata by the early xdp drop (can capture rx on entry or exit to an xdp prog).
