Stamus Networks was working on a new Suricata feature named bypass. It has just been merged into Suricata sources and will be part of the upcoming 3.2 release. Stamus team did initially present this work on Suricata bypass code at Netdev 1.1, the technical conference on Linux networking that took place in Sevilla in February 2016.
In most cases an attack is done at start of TCP session and generation of requests prior to attack is not common. Furthermore multiple requests are often not even possible on same TCP session. Suricata reassembles TCP sessions till a configurable size (stream.reassembly.depth in bytes). Once the limit is reached the stream is not analyzed.
Considering that Suricata is not really inspecting anymore the traffic, it could be interesting to stop receiving the packets of a flow which enter in that state. This is the main idea behind bypass.
The second one consist in doing the same with encrypted flows. Once Suricata sees a traffic is encrypted it stops inspecting it so it is possible to bypass the packets for these flows in the same way it is done for packets after stream depth.
In some cases, network traffic is mostly due to session we don't really care about on the security side. This is for example the case of Netflix or Youtube traffic. This is why we have added the bypass keywords to Suricata rules language. A user can now write a signature using this keyword and all packets for the matching flow will be bypassed. For instance to bypass all traffic to Stamus Networks website, one can use:
alert http any any -> any any (msg="Stamus is good"; content:"www.stamus-networks.com"; http_host; bypass; sid:1; rev:1;)
This is for sure just an example and as you may have seen our website is served only on HTTPS protocol.
Currently, Netfilter IPS mode is the only capture supporting the bypass. Stamus team represented by Eric Leblond will be at Netdev 1.2, first week of October 2016, to present an implementation of bypass for the Linux AF_PACKET capture method based on extended Berkeley Packet Filter.
And if you can't make it to Japan, you will have another chance to hear about that during suricon, the Suricata user conference that will take place in Washington DC beginning of November.
Suricata bypass concepts
Suricata bypass technics
Suricata is now implementing two bypass methods:
- A suricata only bypass called local bypass
- A capture handled bypass called capture bypass
The idea is simply to stop treating packets of a flow that we don't want to inspect anymore as fast as possible. Local bypass is doing it internally and capture bypass is using the capture method to do so.
Test with iperf on localhost with a MTU of 1500:
- standard IPS mode: 669Mbps
- IPS with local bypass: 899Mbps
- IPS with NFQ bypass: 39 Gbps
The concept of local bypass is simple: Suricata reads a packet, decodes it, checks it in the flow table. If the corresponding flow is local bypassed then it simply skips all streaming, detection and output and the packet goes directly out in IDS mode and to verdict in IPS mode.
Once a flow has been local bypassed it is applied a specific timeout strategy. Idea is that we can't handle cleanly the end of the flow as we are not doing the streaming reassembly anymore. So Suricata can just timeout the flow when seeing no packets. As the flow is supposed to be really alive we can set a timeout which is shorter than the established timeout. That's why the default value is equal to the emergency established timeout value.
In capture bypass, when Suricata decides to bypass it calls a function provided by the capture method to declare the bypass in the capture. For NFQ this is a simple mark that will be used by the ruleset. For AF_PACKET this will be a call to add an element in an eBPF hash table stored in kernel.
If the call to capture bypass is successful, then we set a short timeout on the flow to let time of already queued packets to get out of suricata without creating a new entry and once timeout is reached we remove the flow from the table and log the entry.
If the call to capture bypass is not successful then we switch to local bypass.
The difference between local and capture bypass
When Suricata is used with capture methods that do not offer the bypass functionality of eBPF/NFQ mark - pcap, netmap, pfring - it will switch to local bypass mode as explained above. Bypass is available for Suricata's IDS/IPS and NSM modes alike.
Handling capture bypass failure
Due to misconfiguration or to other unknown problems it is possible that a capture bypassed flow is sending us packets. In that case, suricata is switching back the flow to local bypass so we handle it more correctly.