Hi there again :)
After finding the related material, I was playing around with the URL filter application, and I would like to ask whether it is normal that once it alerts on a specific packet it drops all consecutive ones WITHOUT even alerting?
I have the following setup:
2 Host machines (H1,H2) connected back-to-back through Bluefield-2 DPUs.
The Bluefield-2 DPU @ H2 is running the filter application. I have digged deeper a bit in Suricata (still very far from understanding much of it, though :)) and I created a DNS filter instead of the HTTP filter as I was not sure whether the TCP connection to a webserver should be established for the URL filter app to work.
So, I created the following rule description /tmp/signature.txt:
alert dns any any -> any 53 (msg:"Test dns.query option"; dns.query; content:"google"; nocase; sid:1;)
Then, after starting the URL filter, I loaded this file as a database to let the URL filter to compile it to CDO.
/opt/mellanox/doca/examples/url_filter/bin/doca_url_filter -a 0000:03:00.0,class=regex:eth,representor=,sft_en=0 -- -p
URL FILTER>> commit database /tmp/signature.txt
It is compiled without errors.
Then, I craft a DNS packet on the other Bluefield@H1 (which is connected to the Bluefield@H2) and send it to the corresponding interface.
>>> dns_packet=Ether(dst="0c:42:a1:a4:8a:08")/IP(dst="22.214.171.124")/UDP()/DNS(rd=1, qd=DNSQR(qname="google.com"))
Without having any OvS(-DPDK) running on the Bluefield@H2, I encountered that packets are also sent up to the host itself, i.e., to H2. So, I ran a
tcpdump on H2.
ifconfig ens5f0 up
tcpdump -ni ens5f0 udp
So, after sending a crafted DNS packet from @Bluefield@H1, I observe the following:
INFO: SIG ID: 1, URL MSG: Test dns.query option, SFT_FID: 1
04:27:41.284151 IP 192.168.100.2.53 > 126.96.36.199.53: 0+ A? google.com. (28)
However, when I send the same DNS packet over and over again, I do not see any alert anymore, neither I see any packet received @H2 via
It’s like after the alert it is added to a banlist.
I tried waiting for sometime to make any cached entry expire, but no results.
I can only achieve a new alert and packet received via
tcpdump @H2, if I craft another DNS request, e.g., by changing the dst IP, or by restarting URL filter and reloading the database.
As mentioned in the beginning, I am not a suricata expert, so this question might relate to suricata behavior not to the Bluefield’s directly.
Can someone enlighten me about this?
You can see my terminals below. All of them has the “location” in their title/header.