eBPF and XDP support is one of the latest evolutions of the Suricata engine’s performance capabilities. These two technologies have been introduced recently for the Linux kernel and Suricata is one of the first well established and mature projects to make use of them. eBPF was introduced in the Linux kernel to be able to run user provided code safely inside the Linux kernel and XDP is running eBPF code on the network data path, as close as possible to the Network Interface Card.
The initial support for eBPF and XDP was initially available in Suricata’s 4.1, released in November 2018, and it has been greatly enhanced in Suricata 5.0. The development team at Stamus Networks, lead by Éric Leblond, has been the primary developer of eBPF and XDP support within Suricata. The latest additions, list of features and potential use cases enabled by eBPF and XDP are becoming more significant, even vital, making this an opportune time to provide a high level overview for the community. This is the purpose of this article written by Éric Leblond and Peter Manev.
Download the whitepaper: Introduction to eBPF and XDP support in Suricata
Stamus Networks has created a Network Traffic Analyzer (NTA), which uses network communications as a foundational data source for detecting security events, and married it with an Intrusion Detection System (IDS), which provides deep packet inspection of network traffic using a rules based engine. The combination of these two approaches, done simultaneously in a single solution, provides a level of correlated data never previously achieved. We then added a Threat Hunting interface to allow security practitioners the ability to quickly and efficiently search through this security data to examine, validate, and resolve the security incidents that they face on a daily basis.
Suricata is a free and open source, mature, fast and robust network threat detection engine.
The Suricata engine is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing.
Suricata inspects the network traffic using a powerful and extensive rules and signature language, and has powerful Lua scripting support for detection of complex threats.
Suricata’s fast paced community driven development focuses on security, usability and efficiency. The Suricata project and code is owned and supported by the Open Information Security Foundation (OISF), a non-profit foundation committed to ensuring Suricata’s development and sustained success as an open source project.
SELKS 5 is out! Thank you to the whole community for your help and feedback! Thank you to all the great Open Source projects and tools mentioned below for making it possible to showcase Suricata with this new release.
All components have been upgraded in this release to the latest version available but this is not the main improvement. SELKS is now able of doing Full Packet Capture thanks to Suricata and Moloch and benefit from an upgraded Scirius CE adding a new threat hunting interface.
Moloch addition allows the user to investigate and explore captured data via the Moloch viewer that provide an intuitive interface. The new Scirius threat hunting interface proposes a drill-down approach that allow to quickly find relevant alerts in a haystack and start investigation by what matter.
Features, fixes and major improvements:
SELKS is both Live and installable Network Security Management ISO based on Debian implementing and focusing on a complete and ready to use Suricata IDS/IPS ecosystem with its own graphic rule manager. Stamus Networks is a proud member of the Open Source community and SELKS is released under GPLv3 license.
To download SELKS 5, pick one of the two flavors:
You can find the first time set up instructions on our SELKS 5.0 wiki page.
SELKS 4 user can upgrade their running systems using the following Upgrade instructions.
Any feedback as always is greatly appreciated! 🙂
Give us feedback and get help on:
While this test upgrade/installation has been verified and tested please make sure you try it in your test/QA set up first.