(Solved) (New feature implemented) Suricata bypass local traffic

Started by Monviech (Cedrik), August 10, 2023, 02:45:01 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 10, 2023, 02:45:01 PM Last Edit: August 30, 2023, 03:29:53 PM by Monviech
It's now a feature in 23.7.3 - yay, first contribution successful.

https://github.com/opnsense/core/commit/1cdf7cb4fde8daec2354a8779e7054d372e033c5

Added this to the docs:
https://docs.opnsense.org/manual/how-tos/ips-bypass.html

In this example I have three networks:
WAN
LAN
DMZ

Suricata is enabled on the interfaces:
LAN
DMZ

Traffic Scenario - Single Inspection
If traffic gets routed from/to WAN to/from LAN/DMZ, Suricata single inspects the traffic. This works as intended.

Traffic Scenario - Double Inspection
If traffic gets routed from/to LAN to/from DMZ, Suricata will double inspect the traffic. This halves the possible speed compared to single inspection.

Questions
- Is there a way to change the double inspection to a single inspection on routed traffic between $home_net (LAN, DMZ) interfaces?
- Is it possible to inspect traffic from/to $home_net (LAN,DMZ) to/from external_net (WAN), but bypass traffic inspection completely from/to $home_net (LAN,DMZ) to/from $home_net (LAN,DMZ)?

Thanks for any help.
Hardware:
DEC740
August 11, 2023, 12:18:24 PM #1 Last Edit: August 11, 2023, 02:31:27 PM by Monviech
I have found an interesting trigger in the suricata docs:
https://docs.suricata.io/en/suricata-6.0.1/rules/bypass-keyword.html
It triggers something called a "local bypass" as explained here:
https://docs.suricata.io/en/suricata-6.0.0/performance/ignoring-traffic.html

What it means is that only the first packet of a flow is inspected and the rest is allowed through as long as a session is established.

I have tested the speed benefit by creating a "Services: Intrusion Detection: Administration: User defined" rule and adjusting it in the opnsense shell with "bypass;":

Code Select
# AUTO GENERATED, DO NOT EDIT.
#
# OPNsense.rules
# User defined rules
#

# -- User defined rules
pass ip   10.16.1.0/24  any ->  172.16.0.0/24  any (msg:"bypass from 10.16.1.0 to 172.16.0.0"; bypass; sid:4294967294; rev:1;)
pass ip   172.16.0.0/24  any ->  10.16.1.0/24  any (msg:"bypass from 172.16.0.0 to 10.16.1.0"; bypass; sid:4294967293; rev:1;)


After that I reloaded the suricata rules with:
Code Select
kill -USR2 $(pidof suricata)
in order to circumvent the automatic generation of the .rule files.

The speed of a routed smb file transfer increased by a factor of 10, from around 100mbit/s to 1000mbit/s.

I wonder if this could be a potential feature request, maybe a check box in the "User Defined" rule that enables this bypass parameter for that rule. This way the internal routing could be sped up without sacrificing the thoroughness of the LOCAL to/from WAN inspection.
Hardware:
DEC740
Print
Go Up Pages1
User actions