Development and Optimization of a Firmware for Real-Time Monitoring of Network Traffic and Threat Detection

Intrusion Detection Systems (IDS) play a vital role in cybersecurity, monitoring network traffic to detect anomalous behavior. Among the most innovative solutions, Suricata stands out, a modern, multithreaded IDS with broad protocol support. However, its high resource consumption makes it unsuitable for devices with limited capabilities. This thesis focuses on optimizing Suricata for embedded systems, allowing the choice of which protocols to enable at compile time. The first step was the analysis of the source code that allowed to identify the main components, such as decoders and parsers and output components, and led to the modification of the build system to make the inclusion of protocols configurable without compromising its functionality. For the installation on low-resource devices, OpenWrt, a lightweight and modular operating system for embedded network devices, was chosen. The integration, however, presented several challenges, including cross-compilation with the OpenWrt toolchain and the management of dependencies on not fully compatible libraries. To overcome these obstacles, three approaches were attempted: directly compiling Suricata on OpenWrt, cross-compiling the Suricata packages only using the OpenWrt SDK, and generating a custom OpenWrt image. The latter solution proved to be the only one that worked, allowing for a lightweight firmware with an optimized version of Suricata. Another optimization implemented concerns the possibility of auto-configuring Suricata based on the network traffic it will analyze. This mechanism monitors the most used protocols and automatically regenerates the Suricata configuration, allowing for further flexibility and improving system efficiency. Tests conducted on a virtualized x86_64 architecture and a physical ARM architecture, on a Raspberry Pi 3 Model B board, showed a clear improvement in terms of memory and CPU consumption, without compromising the effectiveness in network security activities.