BPFs/rules per physical interface #11425

petiepooo · 2023-09-28T15:02:01Z

petiepooo
Sep 28, 2023

There's an interesting article about compromised network devices at https://www.securityweek.com/chinese-gov-hackers-caught-hiding-in-cisco-router-firmware/ Good reading for this crowd. One of the suggestions from the article is to monitor the external interface to your egress router for connections to the device itself.

Listening to an external interface, however, can get very noisy. Most Suricata rules assume you're inside the firewall where an inbound connection is a high priority because it's already passed through the firewall's filters. If a port isn't open, a connection attempt to that port isn't a big deal, of course. So an external interface would probably be monitored with a much smaller set of Suricata rules and likely with BPFs clamped down to just the IPs and ports that matter.

Security Onion sensors have the ability to ingest on multiple physical ports. Security Onion v2.3 and v2.4 setup a bond0 interface automatically, connect all monitoring interfaces to it, and apply BPFs to the bonded interface. The prior release gave the ability to configure different BPFs per interface by breaking a symlink and creating separate bpf/pulledpork files. Is there a way to regain that capability in v2.4 rather than applying the filters to just the bonded interface?

I expect this could be done by setting it up as a grid with separate forward/heavy nodes, possibly via virtualization, but that can complicate the setup, ongoing maintenance, and resource requirements significantly, plus increase subscription costs if purchasing an IDS ruleset.