Presented at SuriCon 2018 by Christoph Knott
Today techniques such as link aggregation, load balancing and asymmetric routing are widely used within data networks to speed up communication and make it failsafe. In such environments feeding modern network threat detection system becomes a challenge as they expect a clean, full-duplex traffic flow on a single wire. Merging load balanced network links is the most common solution to achieve this goal. But merging might lead to traffic duplication, out-off-order network packets or even packet loss. Also, sometimes it is not possible at all to merge network traffic because of restrictions on link bandwidth or infrastructural conditions. My talk illustrates how Suricata handles single sided network connections, data loss within network flows and scrambled packets within network sessions by example. Starting with clean traffic samples the change in Suricata’s behaviour is outlined when manipulating bits and pieces within the samples. The attendees will see how rule writing changes in order to make the most out of Suricata deployed in aggregated, load balanced, asymmetric data networks.