<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'><p class="MsoNormal">I fixed the problem. I followed this guide instead to
install Suricata:<o:p></o:p></p><p class="MsoNormal"><br></p>
<p class="MsoNormal" style="margin-left:36.0pt;text-indent:-36.0pt"><a href="http://suricata-ids.org/category/distribution/">http://suricata-ids.org/category/distribution/</a><o:p></o:p></p><p class="MsoNormal" style="margin-left:36.0pt;text-indent:-36.0pt"><br></p>
<p class="MsoNormal">The commands that I entered:<o:p></o:p></p><p class="MsoNormal"><br></p>
<p class="MsoNoSpacing"><span style="background:white">sudo apt-get update
&& sudo apt-get upgrade</span><o:p></o:p></p>
<p class="MsoNoSpacing"><span style="background:white">sudo add-apt-repository
ppa:oisf/suricata-stable</span><br>
<span style="background:white">sudo
apt-get update</span><br>
<span style="background:white">sudo
apt-get install suricata<o:p></o:p></span></p>
<p class="MsoNoSpacing">sudo mkdir /var/log/suricata<o:p></o:p></p>
<p class="MsoNoSpacing"><o:p> </o:p></p>
<p class="MsoNormal">I then configured the suricata.yaml file with the correct
network settings.<o:p></o:p></p><p class="MsoNormal"><br></p>
<p class="MsoNormal">The NFQ support was enabled and I was able to run Suricata
in the NFQ mode. <o:p></o:p></p><p class="MsoNormal"><br></p>
<p class="MsoNormal">I’m not sure why the NFQ support was disabled previously. Like
I said I’m very new to Linux.<o:p></o:p></p><p class="MsoNormal"><br></p>
<p class="MsoNormal">I haven’t created iptables yet nor have I tried to block any
attacks by using my rules. I will do that a bit later.<o:p></o:p></p><p class="MsoNormal"><br></p>
<p class="MsoNormal">Regards,<o:p></o:p></p>
<p class="MsoNormal">Alex <o:p></o:p></p><br><div><hr id="stopSpelling">From: manhunt234@hotmail.com<br>To: oisf-users@lists.openinfosecfoundation.org<br>Date: Sat, 5 Jul 2014 20:39:28 +0000<br>Subject: [Oisf-users] Unable to run Suricata in the IPS mode<br><br>
<style><!--
.ExternalClass .ecxhmmessage P {
padding:0px;
}
.ExternalClass body.ecxhmmessage {
font-size:12pt;
font-family:Calibri;
}
--></style>
<div dir="ltr"><p class="ecxMsoNormal">Dear Open Information Security Foundation team,</p><p class="ecxMsoNormal"><br></p>
<p class="ecxMsoNormal">I followed this guide to setup Suricata:</p><p class="ecxMsoNormal"><br></p>
<p class="ecxMsoNormal"><a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ubuntu_Installation" target="_blank">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ubuntu_Installation</a></p><p class="ecxMsoNormal"><br></p>
<p class="ecxMsoNormal">I made sure I had the “—enable-nfqueue” option included during
the “configure” procedure. <span style="font-size:12pt;">I checked if I had NFQ enabled in Suricata after the installation
by entering the following command:</span></p><p class="ecxMsoNormal"></p><p class="ecxMsoNormal"><br></p>
<p class="ecxMsoNormal">suricata –build-info</p><p class="ecxMsoNormal"><br></p>
<p class="ecxMsoNormal">This is what I got:</p><p class="ecxMsoNormal"><br></p>
<p class="ecxMsoNormal">NFQueue support: no</p><p class="ecxMsoNormal"><br></p>
<p class="ecxMsoNormal">I tried running Suricata in the NFQ mode by entering the
following:</p><p class="ecxMsoNormal"><br></p>
<p class="ecxMsoNormal">sudo suricata -c /etc/suricata/suricata.yaml -q 0</p><p class="ecxMsoNormal"><br></p>
<p class="ecxMsoNormal">I got the following error message:</p><p class="ecxMsoNormal"><br></p>
<p class="ecxMsoNormal">30/6/2014 -- 19:08:17 - <Error> - [ERRCODE:
SC_ERR_NFQ_NOSUPPORT(67)] - NFQUEUE not enabled. Make sure to pass
--enable-nfqueue to configure when building.</p>
<p class="ecxMsoNormal"><br></p><p class="ecxMsoNormal">The reason I want Suricata to work in the IPS mode is
because I would like the following rule to run in the drop mode:</p><p class="ecxMsoNormal"><br></p>
<p class="ecxMsoNormal">drop tcp !$MODBUS_CLIENT any -> $MODBUS_SERVER 502
(flow:from_client,established; content:"|00 00|"; offset:2; depth:2;
pcre:"/[\S\s]{3}(\x01|\x02|\x03|\x04|\x07|\x0B|\x0C|\x11|\x14|\x17|\x18|\x2B)/iAR";
msg:"SCADA_IDS: Modbus TCP - Unauthorized Read Request to a PLC";
reference:url,digitalbond.com/tools/quickdraw/modbus-tcp-rules;
classtype:bad-unknown; sid:1111006; rev:1; priority:2;)</p><p class="ecxMsoNormal"><br></p><p class="ecxMsoNormal">As far as I understand I can’t just change the rule mode from “alert” to “drop”. I have to setup ip tables that require NFQ to be enabled in the first place.</p><p class="ecxMsoNormal"><br></p>
<p class="ecxMsoNormal">I also tried configuring the following in the suricata.yaml file:</p><p class="ecxMsoNormal"><br></p>
<p class="ecxMsoNormal"># a line based information for dropped packets in IPS mode</p>
<p class="ecxMsoNormal"> - drop:</p>
<p class="ecxMsoNormal"> enabled: yes</p><p class="ecxMsoNormal"><br></p>
<p class="ecxMsoNormal">I’m not sure if it is mandatory to enable drop in the
suricata.yaml file. </p>
<br>
<p class="ecxMsoNormal">The Suricata version is 2.0.2 running on Ubuntu 12.04.</p><p class="ecxMsoNormal"><br></p>
<p class="ecxMsoNormal">There must be something simple that I’m missing, maybe some
option that I haven’t enabled, but because I’m very new to Linux I just can’t
figure out the problem. I tried reinstalling Suricata several times and made
sure I followed the guide precisely. </p><p class="ecxMsoNormal"><br></p>
<p class="ecxMsoNormal">Looking forward to your reply</p><p class="ecxMsoNormal"><br></p>
<p class="ecxMsoNormal">Regards,</p>
<span style="font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";">Alex</span> </div>
<br>_______________________________________________
Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
OISF: http://www.openinfosecfoundation.org/</div> </div></body>
</html>