<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'><p class="MsoNormal">Dear Open Information Security Foundation team,<o:p></o:p></p><p class="MsoNormal"><br></p>
<p class="MsoNormal">I followed this guide to setup Suricata:<o:p></o:p></p><p class="MsoNormal"><br></p>
<p class="MsoNormal"><a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ubuntu_Installation">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ubuntu_Installation</a><o:p></o:p></p><p class="MsoNormal"><br></p>
<p class="MsoNormal">I made sure I had the “—enable-nfqueue” option included during
the “configure” procedure. <span style="font-size: 12pt;">I checked if I had NFQ enabled in Suricata after the installation
by entering the following command:</span></p><p class="MsoNormal"><o:p></o:p></p><p class="MsoNormal"><br></p>
<p class="MsoNormal">suricata –build-info<o:p></o:p></p><p class="MsoNormal"><br></p>
<p class="MsoNormal">This is what I got:<o:p></o:p></p><p class="MsoNormal"><br></p>
<p class="MsoNormal">NFQueue support: no<o:p></o:p></p><p class="MsoNormal"><br></p>
<p class="MsoNormal">I tried running Suricata in the NFQ mode by entering the
following:<o:p></o:p></p><p class="MsoNormal"><br></p>
<p class="MsoNormal">sudo suricata -c /etc/suricata/suricata.yaml -q 0<o:p></o:p></p><p class="MsoNormal"><br></p>
<p class="MsoNormal">I got the following error message:<o:p></o:p></p><p class="MsoNormal"><br></p>
<p class="MsoNormal">30/6/2014 -- 19:08:17 - <Error> - [ERRCODE:
SC_ERR_NFQ_NOSUPPORT(67)] - NFQUEUE not enabled. Make sure to pass
--enable-nfqueue to configure when building.<o:p></o:p></p>
<p class="MsoNormal"><br></p><p class="MsoNormal">The reason I want Suricata to work in the IPS mode is
because I would like the following rule to run in the drop mode:<o:p></o:p></p><p class="MsoNormal"><br></p>
<p class="MsoNormal">drop tcp !$MODBUS_CLIENT any -> $MODBUS_SERVER 502
(flow:from_client,established; content:"|00 00|"; offset:2; depth:2;
pcre:"/[\S\s]{3}(\x01|\x02|\x03|\x04|\x07|\x0B|\x0C|\x11|\x14|\x17|\x18|\x2B)/iAR";
msg:"SCADA_IDS: Modbus TCP - Unauthorized Read Request to a PLC";
reference:url,digitalbond.com/tools/quickdraw/modbus-tcp-rules;
classtype:bad-unknown; sid:1111006; rev:1; priority:2;)<o:p></o:p></p><p class="MsoNormal"><br></p><p class="MsoNormal">As far as I understand I can’t just change the rule mode from “alert” to “drop”. I have to setup ip tables that require NFQ to be enabled in the first place.</p><p class="MsoNormal"><br></p>
<p class="MsoNormal">I also tried configuring the following in the suricata.yaml file:<o:p></o:p></p><p class="MsoNormal"><br></p>
<p class="MsoNormal"># a line based information for dropped packets in IPS mode<o:p></o:p></p>
<p class="MsoNormal"> - drop:<o:p></o:p></p>
<p class="MsoNormal"> enabled: yes<o:p></o:p></p><p class="MsoNormal"><br></p>
<p class="MsoNormal">I’m not sure if it is mandatory to enable drop in the
suricata.yaml file. <o:p></o:p></p>
<br>
<p class="MsoNormal">The Suricata version is 2.0.2 running on Ubuntu 12.04.<o:p></o:p></p><p class="MsoNormal"><br></p>
<p class="MsoNormal">There must be something simple that I’m missing, maybe some
option that I haven’t enabled, but because I’m very new to Linux I just can’t
figure out the problem. I tried reinstalling Suricata several times and made
sure I followed the guide precisely. <o:p></o:p></p><p class="MsoNormal"><br></p>
<p class="MsoNormal">Looking forward to your reply<o:p></o:p></p><p class="MsoNormal"><br></p>
<p class="MsoNormal">Regards,<o:p></o:p></p>
<span style="font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";
mso-ascii-theme-font:minor-latin;mso-fareast-font-family:Calibri;mso-fareast-theme-font:
minor-latin;mso-hansi-theme-font:minor-latin;mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;mso-ansi-language:EN-GB;mso-fareast-language:
EN-US;mso-bidi-language:AR-SA">Alex</span> </div></body>
</html>