sudo ldconfig
sudo mkdir /etc/suricata/ebpf/
+The ``clang`` compiler is needed if you want to build eBPF files as the build
+is done via a specific eBPF backend available only in llvm/clang suite.
+
Setup bypass
------------
-If you plan to use eBPF or XDP for a kernel/hardware level bypass, you need to do
-the following:
+If you plan to use eBPF or XDP for a kernel/hardware level bypass, you need to enable
+some of the following features:
First, enable `bypass` in the `stream` section ::
stream:
bypass: true
+This will bypass flows as soon as the stream depth will be reached.
+
If you want, you can also bypass encrypted flows by setting `encrypt-handling` to `bypass`
in the app-layer tls section ::
encrypt-handling: bypass
+Another solution is to use a set of signatures using the ``bypass`` keyword to obtain
+a selective bypass. Suricata traffic ID defines flowbits that can be used in other signatures.
+For instance one could use ::
+
+ alert any any -> any any (msg:"bypass video"; flowbits:isset,traffic/label/video; noalert; bypass; sid:1000000; rev:1;)
+ alert any any -> any any (msg:"bypass Skype"; flowbits:isset,traffic/id/skype; noalert; bypass; sid:1000001; rev:1;)
+
Setup eBPF filter
-----------------
use-mmap: yes
ring-size: 200000
# Uncomment the following if you are using hardware XDP with
- # card like Netronome
+ # a card like Netronome
# no-percpu-hash: yes
If you are using hardware XDP offload you may have to use the ``no-percpu-hash`` function and
build and install the XDP filter file after setting ``USE_PERCPU_HASH`` to 0.
-Setup symmetric hashing on the NIC
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Intel NIC setup
+~~~~~~~~~~~~~~~
Intel network card don't support symmetric hashing but it is possible to emulate
it by using a specific hashing function.
Pinned maps usage
-----------------
-Pinned maps stay attached to the system if the creating process disappear and
+Pinned maps stay attached to the system if the creating process disappears and
they can also be accessed by external tools. In Suricata bypass case, this can be
used to keep active bypassed flow tables so Suricata is not hit by previsouly bypassed flows when
restarting. In the socket filter case, this can be used to maintain a map from tools outside
sudo mount -t bpf none /sys/fs/bpf
+You can also add to you `/etc/fstab` ::
+
+ bpffs /sys/fs/bpf bpf defaults 0 0
+
+and run `sudo mount -a`.
+
Pinned maps will be accessible as file from the `/sys/fs/bpf` directory. Suricata
-will pinned them under the name `suricata-$IFACE_NAME-$MAP_NAME`.
+will pin them under the name `suricata-$IFACE_NAME-$MAP_NAME`.
-To active pinned maps for a interface, set `pinned-maps` to `true` in the `af-packet`
+To activate pinned maps for a interface, set `pinned-maps` to `true` in the `af-packet`
configuration of this interface ::
- interface: eth3
is still there and Suricata will just use them instead of attaching the XDP file to
the interface.
-So it you want to reload the XDP filter, you need to remove the files from `/sys/fs/bpf/`
+So if you want to reload the XDP filter, you need to remove the files from `/sys/fs/bpf/`
before starting Suricata.
In case, you are not using bypass, this means that the used maps are managed from outside
-Suricata. As their names are not known by Suricata, you need to specify a name of map to look
-for that will be used to check for the presence of the XDP filter ::
+Suricata. As their names are not known by Suricata, you need to specify a name of a map to look
+for, that will be used to check for the presence of the XDP filter ::
- interface: eth3
pinned-maps: true
pinned-maps-name: ipv4_drop
xdp-filter-file: /etc/suricata/ebpf/xdp_filter.bpf
-If XDP bypass is used in IPS mode stopping Suricata will trigger a interruption in the traffic.
+If XDP bypass is used in IPS mode stopping Suricata will trigger an interruption in the traffic.
To fix that, the provided XDP filter `xdp_filter.bpf` is containing a map that will trigger
a global bypass if set to 1. You need to use `pinned-maps` to benefit of this feature.
To use it you need to set `#define USE_GLOBAL_BYPASS 1` (instead of 0) in the `xdp_filter.c` file and rebuild
the eBPF code and install the eBPF file in the correct place. If you write `1` as key `0` then the XDP
-filter will switch to global bypass mode. Set key `0` to `0` to send traffic to Suricata.
+filter will switch to global bypass mode. Set key `0` to value `0` to send traffic to Suricata.
-The switch must be activated on all sniffing interface. For an interface named `eth0` the global
+The switch must be activated on all sniffing interfaces. For an interface named `eth0` the global
switch map will be `/sys/fs/bpf/suricata-eth0-global_bypass`.
Hardware bypass with Netronome
------------------------------
-Netronome card supports hardware bypass. In this case the eBPF code is running in the card
+Netronome cards support hardware bypass. In this case the eBPF code is running in the card
itself. This introduces some architectural differences compared to driver mode and the configuration
and eBPF filter need to be updated.
------------------------------
You can get information about bypass via the stats event and through the unix socket.
-`ìface-stat` will return the number of bypassed packets (adding packets for a flow when it timeout).
-`ebpf-bypassed-stats` command will return the number of elements in IPv4 and IPv6 flow tables for
-each interfaces.
+``iface-stat`` will return the number of bypassed packets (adding packets for a flow when it timeout) ::
+
+ suricatasc -c "iface-stat enp94s0np0" | jq
+ {
+ "message": {
+ "pkts": 56529854964,
+ "drop": 932328611,
+ "bypassed": 1569467248,
+ "invalid-checksums": 0
+ },
+ "return": "OK"
+ }
+
+``ebpf-bypassed-stats`` command will return the number of elements in IPv4 and IPv6 flow tables for
+each interfaces ::
+
+ # suricatasc
+ >>> ebpf-bypassed-stats
+ Success:
+ {
+ "enp94s0np0": {
+ "ipv4_count": 42524,
+ "ipv6_count": 3304
+ }
+ }
projects / thirdparty / suricata.git / commitdiff
