Skip to main content
Calico Cloud documentation

Deep packet inspection

Big picture

Configure deep packet inspection (DPI) in clusters to get alerts on compromised resources.

Value

Security teams need to run DPI quickly in response to unusual network traffic in clusters so they can identify potential threats. Also, it is critical to run DPI on select workloads (not all) to efficiently make use of cluster resources and minimize the impact of false positives. Calico Cloud provides an easy way to perform DPI using Snort community rules. You can disable DPI at any time, selectively configure for namespaces and endpoints, and alerts are generated in the Alerts dashboard in Manager UI.

Concepts

For each deep packet inspection resource (DeepPacketInspection), Calico Cloud creates a live network monitor that inspects the header and payload information of packets that match the Snort community rules. Whenever malicious activities are suspected, an alert is automatically added to the Alerts page in the Calico Cloud Manager.

Calico Cloud DPI uses AF_PACKET, a Linux socket that allows an application to receive and send raw packets. It is commonly used for troubleshooting (like tcpdump and Wireshark), but also for network intrusion detection. For details, see AF_Packet.

Before you begin

Not supported:

  • Multi-nic setup
  • Calico Cloud nodes running Windows hosts

How To

Configure deep packet inspection

Create a YAML file containing one or more DeepPacketInspection resources and apply it to your cluster.

kubectl apply -f <your_deep_packet_inspection_filename>

To stop deep packet inspection, delete the DeepPacketInspection resource from your cluster.

kubectl delete -f <your_deep_packet_inspection_filename>

Examples of selecting workloads

Following is a basic example that selects a single workload that has the label k8s-app with the value nginx.

apiVersion: projectcalico.org/v3
kind: DeepPacketInspection
metadata:
  name: sample-dpi-nginx
  namespace: sample
spec:
  selector: k8s-app == "nginx"

In the following example, we select all workload endpoints in the sample namespace.

apiVersion: projectcalico.org/v3
kind: DeepPacketInspection
metadata:
  name: sample-dpi-all
  namespace: sample
spec:
  selector: all()

Configure resource requirements

Adjust the CPU and RAM used for performing deep packet inspection by updating the component resource in IntrusionDetection.

For a data transfer rate of 1GB/sec on workload endpoints being monitored, we recommend a minimum of 1 CPU and 1GB RAM.

The following example configures deep packet inspection to use a maximum of 1 CPU and 1GB RAM.

apiVersion: operator.tigera.io/v1
kind: IntrusionDetection
metadata:
  name: tigera-secure
spec:
  componentResources:
    - componentName: DeepPacketInspection
      resourceRequirements:
        limits:
          cpu: '1'
          memory: 1Gi
        requests:
          cpu: 100m
          memory: 100Mi

Access alerts

The alerts generated by deep packet inspection are available in the Manager UI in the Alerts page.

Verify deep packet inspection is running

Get the status of DeepPacketInspection resource to verify if live traffic is being monitored on selected workload endpoints.

kubectl get <deep_packet_inspection_resource_name> -n <deep_packet_inspection_namespace>

Install custom Snort rules

If you don't want to use the Snort community rules, you can install a custom set of Snort rules to perform deep packet inspections. You may want to install your own rules if:

  • you use a paid subscription to a Snort ruleset
  • you have written your own Snort rules.
important

If you install custom Snort rules, Calico Cloud will stop updating the community rules with each minor release. You will be responsible for making sure your rules are up to date.

  1. Create a container with your custom Snort rules.

    1. Copy your Snort rule files into a new ./snort-rules/ directory.

    2. Create a Dockerfile like this one:

      FROM alpine:3.14
      COPY snort-rules /snort-rules
      ENTRYPOINT [ "/bin/sh", "-c", "cp /snort-rules/* /usr/etc/snort/rules/" ]

    3. In the console, run the following commands:

      docker build . -t <your-image-name>:<your-image-tag>
      docker push <your-image-name>:<your-image-tag>

      After the image has been pushed to the registry, you're ready to configure the IntrusionDetection resource.

  2. Update the IntrusionDetection resource with the custom Snort rules image.

    spec:
      deepPacketInspectionDaemonset:
        spec:
          template:
            spec:
              initContainers:
              - name: snort-rules
                image: <your-image-name>:<your-image-tag>

This can also be done by running the following command:

kubectl patch intrusiondetection tigera-secure --type merge -p '{"spec":{"deepPacketInspectionDaemonset":{"spec":{"template":{"spec":{"initContainers":[{"name":"snort-rules", "image":"<your-image-name>:<your-image-tag>"}]}}}}}}'

  1. Verify that your custom rules have been installed correctly:

    1. If it's not running already, [apply the DeepPacketInspection resource(#configure-deep-packet-inspection) to your cluster.

    2. Extract the list of Snort rules that are currently being used by running the following commands:

      export POD=$(kubectl get pods -n tigera-dpi -o custom-columns=:metadata.name --no-headers | head -n 1) \
      kubectl exec -n tigera-dpi $POD -- tar -cf - /usr/etc/snort/rules | tar --strip-components=4 -xf -

    3. If these rules match those in your custom set, then the installation was successful.

Additional resources