[Oisf-devel] Suricata blocking web server
Victor Julien
lists at inliniac.net
Wed Feb 15 14:59:30 UTC 2017
On 15-02-17 15:46, Jinsheng Chen wrote:
> Thanks a lot!!!!!!!
> What you said solved this problem. I did forget to redirect the OUTPUT
> chain to NFQUEUE.
>
>
> By the way, could you please advise what is the best practice of using
> suricata with iptables?
>
> I mean, if you simply add a "-A INPUT -j NFQUEUE" to the 1st line, every
> single packet will be transferred to suricata, even the packets that are
> supposed to be blocked by iptables.
> If you add a "-A INPUT -j NFQUEUE" to the last line or in the middle of
> the table, a lot of traffic such as "-A INPUT -m state --state
> ESTABLISHED,RELATED -j ACCEPT" will be accepted without being checked by
> suricata.
>
>
> Therefore, my current solution is:
> 1) Add a new chain (such as "MyIDS"), and in the chain, all traffic are
> redirected to NFQUEUE.
> 2) Replace all the "ACCEPT" targets with "MyIDS".
> By this way, first traffic are check by iptables and then, only allowed
> traffic are check by suricata.
>
> Is this the best way or is there an "official best practice" for this?
No, there is not. It depends a lot on your goals.
But I use the same logic as you do: general iptables rules first, then
send the rest to Suricata. So I think your approach makes sense.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list