17. IDS AccelerationΒΆ

IDS/IPS systems, like Suricata and Zeek, are well known to be CPU bound and require quite some resources for signature-matching and other type of analysis.

The PF_RING framework can be used to accelerate the packet capture and make more CPU cycles available to those tools as described in the IDS/IPS Integration section of the PF_RING documentation. It can also be used to reduce the input by (statically) defining filtering policies from Layer 2 up to Layer 7 dramatically improving the performance of the tools as described in the PF_RING FT acceleration section.

ntopng provides an additional tecnique for accelerating IDS/IPS systems, whose idea is similar to the Smart Recording acceleration used by n2disk. In fact ntopng implements Behavioural Checks to detect when a host is misbehaving and can be configured to push information about those hosts to external tools for further analysing their traffic. This can be configured from the Interface > Details > Settings menu, where it is possible to toggle the Push Alerted Hosts to PF_RING flag.

Push Alerted Hosts to PF_RING

Push Alerted Hosts to PF_RING

With this setting enabled, ntopng notifies hosts for which there is an engaged alert to PF_RING, triggering the divertion of the traffic matching those hosts to an IDS/IPS (or any other application running on top of PF_RING), which is otherwise discarded by default.

The IP addresses to be monitored are notified to PF_RING by means of a Redis queue, whose name is pfring.*INTERFACE_ID*.filter.host.queue as reported by the GUI. Please also read the PF_RING Runtime Filtering section for configuring the IDS/IPS.