[Oisf-devel] Suricata blocking web server

Jinsheng Chen smalldust.chen at gmail.com
Wed Feb 15 14:46:46 UTC 2017 

Hi Victor,

Thanks a lot!!!!!!!
What you said solved this problem. I did forget to redirect the OUTPUT
chain to NFQUEUE.


By the way, could you please advise what is the best practice of using
suricata with iptables?

I mean, if you simply add a "-A INPUT -j NFQUEUE" to the 1st line, every
single packet will be transferred to suricata, even the packets that are
supposed to be blocked by iptables.
If you add a "-A INPUT -j NFQUEUE" to the last line or in the middle of the
table, a lot of traffic such as "-A INPUT -m state --state
ESTABLISHED,RELATED -j ACCEPT" will be accepted without being checked by
suricata.


Therefore, my current solution is:
1) Add a new chain (such as "MyIDS"), and in the chain, all traffic are
redirected to NFQUEUE.
2) Replace all the "ACCEPT" targets with "MyIDS".
By this way, first traffic are check by iptables and then, only allowed
traffic are check by suricata.

Is this the best way or is there an "official best practice" for this?

Thanks!
Jinsheng






On Wed, Feb 15, 2017 at 11:16 PM, Victor Julien <lists at inliniac.net> wrote:

> On 14-02-17 17:26, Jinsheng Chen wrote:
> > I am not sure if I should post my question here. If not, please let me
> > know where to post... thanks.
> >
> > I have a web server (CentOS 6) and also have suricata running on it in
> > IPS mode:
> >
> > # suricata -D -q 0
> >
> > I have configured the rules with oinkmaster and have replaced all
> > "ALERT" to "DROP".
> > And I have configured iptables so that all traffic goes to suricata:
> >
> > Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
> >  pkts bytes target     prot opt in     out     source
> > destination
> >     8   464 IPS        all  --  *      *       0.0.0.0/0
> > <http://0.0.0.0/0>            0.0.0.0/0 <http://0.0.0.0/0>
> >
> > Chain IPS (9 references)
> >  pkts bytes target     prot opt in     out     source
> > destination
> >     8   464 NFQUEUE    all  --  *      *       0.0.0.0/0
> > <http://0.0.0.0/0>            0.0.0.0/0 <http://0.0.0.0/0>
> > NFQUEUE num 0
>
> It looks like you're missing the OUTPUT chain. Suricata needs to see
> both sides of the traffic for its stateful tracking, inspection and
> logging.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate: http://suricata-ids.org/
> participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20170215/182f4a5b/attachment-0002.html>

More information about the Oisf-devel mailing list