<div dir="ltr">Hi Victor,<div><br></div><div>Thanks a lot!!!!!!! </div><div>What you said solved this problem. I did forget to redirect the OUTPUT chain to NFQUEUE.</div><div><br></div><div><br></div><div>By the way, could you please advise what is the best practice of using suricata with iptables?</div><div><br></div><div>I mean, if you simply add a "-A INPUT -j NFQUEUE" to the 1st line, every single packet will be transferred to suricata, even the packets that are supposed to be blocked by iptables.</div><div>If you add a "-A INPUT -j NFQUEUE" to the last line or in the middle of the table, a lot of traffic such as "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT" will be accepted without being checked by suricata.</div><div><br></div><div><br></div><div>Therefore, my current solution is:</div><div>1) Add a new chain (such as "MyIDS"), and in the chain, all traffic are redirected to NFQUEUE.</div><div>2) Replace all the "ACCEPT" targets with "MyIDS".</div><div>By this way, first traffic are check by iptables and then, only allowed traffic are check by suricata.</div><div><br></div><div>Is this the best way or is there an "official best practice" for this?</div><div><br></div><div>Thanks!</div><div>Jinsheng</div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Feb 15, 2017 at 11:16 PM, Victor Julien <span dir="ltr"><<a href="mailto:lists@inliniac.net" target="_blank">lists@inliniac.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 14-02-17 17:26, Jinsheng Chen wrote:<br>
> I am not sure if I should post my question here. If not, please let me<br>
> know where to post... thanks.<br>
><br>
> I have a web server (CentOS 6) and also have suricata running on it in<br>
> IPS mode:<br>
><br>
> # suricata -D -q 0<br>
><br>
> I have configured the rules with oinkmaster and have replaced all<br>
> "ALERT" to "DROP".<br>
> And I have configured iptables so that all traffic goes to suricata:<br>
><br>
> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)<br>
> pkts bytes target prot opt in out source<br>
> destination<br>
> 8 464 IPS all -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
</span>> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>><br>
<span class="">><br>
> Chain IPS (9 references)<br>
> pkts bytes target prot opt in out source<br>
> destination<br>
> 8 464 NFQUEUE all -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
</span>> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>><br>
> NFQUEUE num 0<br>
<br>
It looks like you're missing the OUTPUT chain. Suricata needs to see<br>
both sides of the traffic for its stateful tracking, inspection and logging.<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
------------------------------<wbr>---------------<br>
Victor Julien<br>
<a href="http://www.inliniac.net/" rel="noreferrer" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" rel="noreferrer" target="_blank">http://www.inliniac.net/<wbr>victorjulien.asc</a><br>
------------------------------<wbr>---------------<br>
<br>
______________________________<wbr>_________________<br>
Suricata IDS Devel mailing list: <a href="mailto:oisf-devel@openinfosecfoundation.org">oisf-devel@<wbr>openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Participate: <a href="http://suricata-ids.org/participate/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>participate/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-devel</a><br>
Redmine: <a href="https://redmine.openinfosecfoundation.org/" rel="noreferrer" target="_blank">https://redmine.<wbr>openinfosecfoundation.org/</a><br>
<br>
</font></span></blockquote></div><br></div>