Eric Leblond gave a talk entitled “The adventures of a Suricata in eBPF land” at netdev 1.2, the Technical Conference on Linux Networking. This talk reviewed Stamus Networks’ work in the field of bypass and showed how the eBPF technology can be used to implement this feature.
eBPF is a technology that extends the traditional Berkeley Packet Filter that you can for example use with tcpdump. For instance eBPF filter can be written in a subset of C and allows kernel and userspace to share data via maps that can be for example an array or hash table. This technology has been used to implement a kernel bypass in Suricata. The idea is that Suricata is asking the Linux kernel to stop sending it (bypass) packets for particular flow once it has decided that no further inspection is needed to be done.
For detailed information on the subject, you can get the Slides of “Suricata and eBPF” or watch the video that is already available thanks to the great work of Netdev team:
I’ve given a talk entitled “Suricata 2.0, Netfilter and the PRC” at the Hackito Ergo Sum conference.
The talk is presenting Suricata and the new features available in version 2.0, focusing on the new EVE output and how it can be used with Elasticsearch, Logstash and Kibana. I’ve also shown how ulogd, the Netfilter logging daemon can be used with Elasticsearch thanks to the new JSON output plugin. Finally, I’ve explained how I’ve discovered a attack schema which is originating from systems running in the People Republic of China.
You can get the slides here: Suricata 2.0, Netfilter and the PRC