Enabling eBPF (Extended Berkeley Packet Filter) bypass is the ultimate step in Suricata performance tuning. It allows the kernel to filter known-safe traffic (e.g., TLS data) before the packets reach the resource-intensive Userspace engine. However, this functionality often fails to work out-of-the-box.
Continue reading Suricata Performance: Resolving eBPF Bypass Failure via Manual Kernel Filter CompilationTag: Suricata
Suricata IPS: Fixing Legitimate Traffic Drops by Disabling drop-invalid
I encountered a peculiar issue where my WordPress instance was unable to reach wordpress.org, and DokuWiki could not access its plugin repository. All standard network checks (wget, curl, DNS) worked fine, and no drops were registered by the standard firewall rules.
However, logging revealed a problem deep within the Intrusion Prevention System (IPS) layer.
Continue reading Suricata IPS: Fixing Legitimate Traffic Drops by Disabling drop-invalidBogon Defense: Integrating Dynamic IP Blacklists into Suricata’s Reputation System
Bogon networks are IP address ranges that should never appear on the public internet, as they are either reserved or unassigned. Blocking these ranges is a fundamental and highly effective security measure. While this can be done with simple firewall rules, integrating the blocklist directly into the Suricata IP Reputation system is far more performant.
Continue reading Bogon Defense: Integrating Dynamic IP Blacklists into Suricata’s Reputation SystemSuricata AF-Packet: Resolving VirtIO Non-Functionality via Checksum Offload Disablement
This article documents a two-part process: successfully upgrading Suricata to version 7 on Debian Bookworm and solving a critical stability issue required to run the AF-Packet IPS mode with high-performance VirtIO NICs in a virtual machine. Without this specific configuration, the IPS failed to function.
Continue reading Suricata AF-Packet: Resolving VirtIO Non-Functionality via Checksum Offload DisablementAutomating IPS: Real-Time Suricata Rule Generation via Fail2ban Hook
In my last posts, I established a central syslog hub feeding Fail2ban and demonstrated Suricata as an intrusion prevention system (IPS). This final piece connects the two: feeding Suricata with the ban results from Fail2ban by creating a dynamic, external rule file.
Continue reading Automating IPS: Real-Time Suricata Rule Generation via Fail2ban HookSuricata Alert Analysis: Tuning Rules and Promoting Detection to Prevention
This is a follow-up to my last post in which I set up Suricata as an IPS. This article demonstrates how to effectively work with the Suricata engine—specifically, how I analyze its log output, silence unnecessary alerts, and promote specific detection rules to prevention rules.
Continue reading Suricata Alert Analysis: Tuning Rules and Promoting Detection to PreventionSuricata IPS: Building a Transparent Network Defense Layer with AF-Packet Bridging
Suricata functions as a powerful engine for Network Intrusion Detection and Prevention (IDS/IPS). This guide demonstrates how to set up Suricata as a transparent Intrusion Prevention System (IPS) within a KVM environment by replacing the kernel bridge with the high-performance AF-Packet mechanism.
Continue reading Suricata IPS: Building a Transparent Network Defense Layer with AF-Packet Bridging