Cyberoam team presents their work on active active cluster. They’ve done a 2 nodes active active setup, with a primary and an auxiliary sytem. The primary take care of load balancing. The setup is using virtual MAC addresses. To avoid split-brain problem, the primary take all decisions by always treating the SYN packet. It also … Continue reading “Nishit Shah & Jimit Mahadevia: TCP Session Load-balancing in Active-Active HA Cluster”
Prerequisites : Netfilter : CONNMARK nth (or statistic module for recent kernel) condition (for failover, available in xtables addon) Iproute2 System : A linux gw and 2 internet links (what ever techno) : Link 1 : BP 1500 – fraction 3 Link 2 : BP 500 – fraction 1 The ratio between the 2 link … Continue reading “Links Load balancing”
Iptables and suricata as IPS Building a Suricata ruleset with iptables has always been a complicated task when trying to combined the rules that are necessary for the IPS with the firewall rules. Suricata has always used Netfilter advanced features allowing some more or less tricky methods to be used. For the one not familiar … Continue reading “Suricata and Nftables”
Introduction NFQUEUE is an iptables and ip6tables target which delegate the decision on packets to a userspace software. For example, the following rule will ask for a decision to a listening userpsace program for all packet going to the box: iptables -A INPUT -j NFQUEUE –queue-num 0 In userspace, a software must used libnetfilter_queue to … Continue reading “Using NFQUEUE and libnetfilter_queue”
Introduction Kernel oops have been reported by some users running Suricata with AF_PACKET multiple thread capture activated. This is due to a bug I’ve introduced in AF_PACKET when fixing an other bug. Which kernel not to use with Suricata in AF_PACKET mode The following kernel version will surely crash if Suricata or any other program … Continue reading “About Suricata and a kernel oops in AF_PACKET”
A new Suricata IPS mode Suricata IPS capabilities are not new. It is possible to use Suricata with Netfilter or ipfw to build a state-of-the-art IPS. On Linux, this system has not the best throughput performance. Patrick McHardy’s work on netlink: memory mapped I/O should bring some real improvement but this is not yet available. … Continue reading “New AF_PACKET IPS mode in Suricata”
Introduction Since the beginning of July 2012, OISF team is able to access to a server where one interface is receiving some mirrored real European traffic. When reading "some", think between 5Gbps and 9.5Gbps constant traffic. With that traffic, this is around 1Mpps to 1.5M packet per seconds we have to study. The box itself … Continue reading “Suricata, to 10Gbps and beyond”
Some new features have recently reach Suricata’s git tree and will be available in the next development release. I’ve worked on some of them that I will describe here. Multi interfaces support and new running modes Configuration update IDS live mode in suricata (pcap, pf_ring, af_packet) now supports the capture on multiple interfaces. The syntax … Continue reading “Acquisition systems and running modes evolution of Suricata”
We have been ignoring the fact that NAT could have some interest in IPv6 during the latest 5 years. IPv6 will not fix everything and it may be time to reconsider NAT. There is some reasons for that: Dynamic IPv6 prefixes: some ISP decide to not give fixed address to people Server load balancing, DMZ … Continue reading “Ulrich Weber: IPV6 NAT”