Suricata is an open-source security engine that delivers high-performance Network Detection and Response (NDR) capabilities. Suricata combines threat detection, intrusion detection (IDS), intrusion prevention (IPS), network security monitoring (NSM) and packet capture into a powerful system.
The Suricata Network Sensor is at the heart of any successful Suricata deployment. Building an enterprise-scale Suricata deployment can be challenging. One challenge is that open source Suricata Sensors are ‘do-it-yourself’ appliances, so Sensor performance and capacity can vary greatly based upon the hardware selected to build the Sensor. It is, therefore, important to choose the optimal hardware combinations that provide the interface speed, scale and capacity needed to ingest and analyze the network traffic to be monitored. Impaired Suricata Sensor performance can lead to fatal gaps in network traffic visibility, which can result in evolving threats and attacks going undetected – enabling them to dwell longer and propagate deeper across the network and into critical systems.
The Network Traffic Challenge
The second challenge is that the speed, velocity, and volume of network traffic has grown by many orders of magnitude and can be expected to continue to grow exponentially – driven by the adoption of higher speed network links for servers and interconnections. With one hour of raw network traffic on a single 100G link reaching 45 terabytes, the Suricata Sensor is easily overwhelmed by the massive amount of traffic to monitor. The traffic volume challenge is amplified by the need to monitor more traffic paths, such as east-west traffic to observe lateral movements.
The Value of Network Intelligence
- Optimize Sensor Placement – Proper and comprehensive Sensor placement (network instrumentation) is essential. To enable effective visibility of network traffic, operators need to observe all communications crossing the common functional boundaries to extract intelligence from the network to identify and pinpoint intrusive activity. Traffic-based network intelligence exposes patterns, protocols, and volume of data flowing across the network to understand how users, devices and systems communicate with each other.
- Optimize Sensors for Maximum Performance – A Suricata Sensors’ capacity and performance is defined by the physical compute appliance; including its CPU and the specialized NIC card chosen to deploy as the Sensor. Monitoring a 100G link versus a 10G or 40G link requires significantly more processing capacity to assure adequate Sensor performance. Keep in mind that wire-speed 100G traffic volumes challenge most commercial Network Sensors and packet capture appliances, and Suricata is no exception. While cost is always a factor, optimizing for maximum performance is most important. An underpowered Sensor will drop packets and create bottlenecks which may result in missing important indicators of nefarious activity.
- Optimize Traffic into the Sensor to Increase Ingest Scale – Evaluating every packet in real time against thousands of attack signatures for hundreds or thousands of concurrent flows requires significant processing power. Even with Suricata’s bypass capabilities, the Suricata Sensor is easily overwhelmed by the massive amount of traffic to monitor and analyze. The reality is that not all network traffic flows are created equal, and not all network traffic needs to be analyzed. Some traffic, such as encrypted traffic, cannot always be analyzed, while some other traffic types, such as streaming services, are less likely to contain indicators of malicious activity and are not useful to monitor. Prioritizing the traffic to be presented to the Sensor before it reaches the Sensor’s NIC and CPU can significantly reduce the packet processing burden and dramatically increase the ingest capacity and scale of the Suricata Sensor. This in turn will enable increasing network coverage while needing fewer physical Sensors which will dramatically reduce instrumentation costs and management complexities.
Overcoming the Traffic Volume Challenge
Depending on the network environment, as much as 80% of network traffic can be encrypted and upwards of 50% of traffic is considered ‘unmonitorable’ or not useful. Suricata does allow some traffic to be ‘bypassed’, which allows traffic matching certain criteria to be excluded from deeper analysis. However, Suricata bypass rules do not prevent this traffic from the reaching sensor. So, the Sensor NIC and CPU must still receive and process this traffic which will impact the Sensor’s capacity.
Using Network Packet Brokers (NPB) to load balance traffic can help by breaking-up and distributing high volumes of collected network traffic to multiple Sensors to assure a given Sensor is not overrun with traffic. The flip side is that load balancing traffic for 100G link will require adding multiple lower speed Sensors to keep up with the monitored traffic volumes.
While Packet Brokers are an essential part of the monitoring architecture to facilitate access to packet traffic, Packet Brokers alone do not address the challenge that a high percentage of the network traffic delivered to the Sensor may be encrypted or not monitorable or actionable. Processing irrelevant and unmonitorable traffic consumes valuable Sensor analysis resources to attempt to assess or bypass the undesirable traffic.
Not all network traffic needs to be analyzed by Suricata. The fundamental traffic management principle is do not send traffic to the Suricata sensor that you don’t want to be inspected. To improve the Sensor’s scale, the goal is to keep the NIC, CPU and Kernel from having to process the unwanted traffic to begin with.
An effective approach to scale Suricata performance is to optimize and limit the traffic being presented to the Sensor. Intelligent traffic optimizations enable Suricata to monitor massive volumes of network traffic more efficiently, enabling improved network visibility and threat intelligence at scale. Eliminating low-value traffic, and in particular optimizing encrypted and streaming traffic, can significantly reduce the packet processing burden on the Suricata Sensor to focus inspection on the most relevant network traffic as possible to identifying emerging threats.
How NetQuest Can Help
The NetQuest Packet Services Broker brings significant value to Suricata deployments by intelligently assessing network traffic to automate the delivery of only high-value packets to the Suricata Sensor. The Packet Services Broker efficiently identifies, prioritizes, and optimizes packet traffic at wire-speed to deliver only relevant packets to the Suricata Sensor to reduce the traffic processing burden. This optimization facilitates more efficient traffic ingest, faster analysis, more relevant alarms, and enables more efficient packet recording to reduce storage requirements and extend packet retention times. Capabilities include:
- Optimize Suricata analysis resources by targeting specific high-value types of traffic to the Suricata Sensor offloading the processing burden for low-value traffic
- Optimize specific flow-types such as encrypted or streaming services traffic
- Remove unwanted packet elements to improve traffic ingest efficiency and meet privacy and compliance requirements
- Header stripping and protocol de-encapsulation to deliver only the inner packets to the Sensor making packets easier to ingest and analyze
We invite you to learn more about optimizing traffic monitoring for Suricata to achieve unprecedented threat intelligence at scale, better defend against evolving threats, and support more comprehensive investigative activities.
Additional Suricata Resources
The NetQuest Optimizing Suricata Solution Overview:
https://netquestcorp.com/suricata/
NetQuest Suricata Optimization Solution Brief:
Optimizing Traffic Monitoring for Suricata to Increase Scale and Capacity
Ready to Dive Deeper? Read the NetQuest Technical White Paper:
Network Traffic Optimization Considerations for Suricata Deployments
