Suricata includes flow bypass

Suricata is a very popular, open-source IPS/IDS security solution that was first introduced in July 2010. As expected, new features are gradually added based upon demand, efficacy and other factors.

One of the most substantial features to be added to the Suricata software is flow bypass which was introduced with release 3.2 (December 2016). The idea is to let Suricata bypass or not process flows (based on 5-tuple) that are not of interest such as encrypted traffic; well-known traffic such as Netflix or YouTube; or any other non-interesting traffic. This is a very valuable Suricata feature, but it is also very CPU intensive and is an ideal candidate for offload to a hardware adapter. 

To give you an idea of how taxing this feature is on the CPU (and a good vector for hackers to exploit) read this statement that comes right out of the official Suricata user guide:

“For packets not yet belonging to a flow, Suricata creates a new flow. This is a relatively expensive action. The risk coming with it, is that attackers/hackers can attack the engine system at this part. When they make sure a computer gets a lot of packets with different tuples, the engine has to make a lot of new flows. This way, an attacker could flood the system. To mitigate the engine from being overloaded, this option instructs Suricata to keep a number of flows ready in memory. This way Suricata is less vulnerable to these kind of attacks.” Source: Official Suricata User Guide, release 4.1.0 (page 148)

To learn a better and more efficient way to perform flow bypass with Suricata, please read the tech brief below.

Host CPU Offload Product Features Summary
wdt_ID Speed 1G 10G 10G 10G 10G/40G 10G/40G 100G 100G 100G 100G
1 Model ANIC-4Ku ANIC-20Ku ANIC-40Ku ANIC-40Kq ANIC-80Ku ATLAS-1000 Platform ANIC-100Ku ANIC-200Ku ANIC- 200K Flex ANIC-200Kq
2 Port/Type 4 X 1G SFP 2 X 10GSFP+ 4 X 10GSFP+ 1 X 40G4 X 10GQSFP+ 2 X 40G8 X 10GQSFP+SFP+ 2 X 40GQSFP4 X 10GSFP+ 1 X 100GCFP4 2 x 100GCFP4 2 x 40G2 x 100GQSFP28 2 x 100GQSFP28
3 PCIe Interface Gen3 x8 Gen3 x8 Gen3 x8 Gen3 x8 Gen3 x8 Gen3 x8 Gen3 x16 Gen3 x16 Gen3 x16 Gen3 x16
4 Dimensions(H x L inches) 4.25 x 6.5   4.25 x 6.25 4.25 x 6.25 4.25 x 6.25 4.25 x 6.25 1.75 x12.28 x 14 4.25 x 10.5 4.25 x 10.5 4.25 x 6.5 4.25 x 10.5
5 Memory 32MB 4G 4G 4G 4G 16/32G 12G 12G 8G 12G
6 Timestamp 5.7 nS 5.7 nS 5.7 nS 5.7 nS 5.7 nS 5.7 nS 4 nS 4 nS 4 nS 4 nS
7 100% Packet
Capture
8 Gigamon,
Arista
Timestamp
9 Packet Merging
10 Packet Parsing

About Accolade

Accolade is the technology leader in FPGA-based Host CPU Offload and 100% Packet Capture PCIe NIC’s and Scalable 1U Platforms. Accolade’s line of 1-100GE products enable 100% packet capture, flow classification, flow shunting, deduplication, packet filtering and more. Our customers are global leaders in network monitoring & cybersecurity applications as well as in the network test and measurement, telecom and video stream monitoring markets.

FPGA Acceleration Features

100% Packet Capture | Flow Classification | Flow Shunting | Precise Time Stamping | Packet Merging | Packet Slicing | Packet Parsing | Packet Filtering | Deduplication | Host Packet Buffer | Packet Steering | Direct Memory Access (DMA) | Statistics (RMON1)

Free Product Evaluation

Resolve all your host CPU offload bottlenecks. Share Your Technical Requirements with our FPGA and software experts to tailor the optimal solution. Accolade offers a 60 day free product evaluation for qualified customers to fully test and evaluate our products.