<!DOCTYPE html PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'>
<html><head><meta http-equiv="Content-Type" content="text/html;charset=us-ascii">
<style>BODY{font:10pt Tahoma,Verdana,sans-serif} .MsoNormal{line-height:120%;margin:0}</style></head><body>
Ok. Thanks. Can I suggest that the documentation in Suricata docs be updated to reflect that NFQUEUE mode requires IP addresses and not assume people will understand this should be like a router. Because I found a web page where NFQUEUE mode was configured with bridging.<br><br>Thanks. <br><br>Leonard Jacobs, MBA, CISSP, CSSA<div>President/CEO</div><div>Netsecuris Inc.</div><div>P 952-641-1421 ext. 20</div><div><a href="http://www.netsecuris.com" target="_blank">http://www.netsecuris.com</a></div><br><blockquote style="padding-left: 5px; margin-left: 5px; border-left: #0000ff 2px solid; margin-right: 0px"><hr><b>From:</b> Victor Julien [mailto:lists@inliniac.net]<br><b>To:</b> oisf-users@lists.openinfosecfoundation.org<br><b>Sent:</b> Wed, 18 Nov 2015 07:08:34 -0600<br><b>Subject:</b> Re: [Oisf-users] Trouble with NFQUEUE IPS Mode<br><br>On 18-11-15 13:08, Leonard Jacobs wrote:<br>
> I did create the iptables rules with NFQUEUE. But then you are saying the IPS appliance should be like a router with IP address set on the outer Ethernet port.<br>
> <br>
> Here is a drawing of what I am trying to accomplish. There are 4 ethernet ports on IPS Appliance. I want to have the IPS on both sides of the firewall.<br>
> <br>
> Router <---------->IPS Appliance<------------>SonicWALL firewall<--------->IPS appliance<-------------->LAN Switch<br>
> PortA PortB PortC PortD<br>
> <br>
> To get data flowing, I had bridged PortA to PortB as well as PortC to PortD. Will Suricata in NFQUEUE mode not see the traffic from the pairs of ports using the iptables rules I created?<br>
> <br>
> I prefer to use AF_PACKET mode to accomplish this because I know it works but in this case there seems to be an incompatibility with the SonicWALL firewall so VPN connections drop and some traffic stops flowing. So I am trying to find an IPS alternative to AF_Packet mode.<br>
> <br>
> Are you saying I need to have IP addresses on all 4 ethernet ports so NFQUEUE will work without turning bridging on?<br>
> <br>
<br>
I would suggest setting up the router first without Suricata. To do this<br>
you'd use ACCEPT rules instead of NFQUEUE rules. Once that<br>
routing/iptables setup works, add Suricata to the mix.<br>
<br>
To set up a router, you will indeed need proper ip addresses and all.<br>
Thats what the routing needs.<br>
<br>
Cheers,<br>
Victor<br>
<br>
<br>
<br>
<br>
> Thanks.<br>
> <br>
> Leonard<br>
> <br>
> -----Original Message-----<br>
> From: Oisf-users [mailto:<a href="mailto:oisf-users-bounces@lists.openinfosecfoundation.org">oisf-users-bounces@lists.openinfosecfoundation.org</a>] On Behalf Of Victor Julien<br>
> Sent: Wednesday, November 18, 2015 5:41 AM<br>
> To: <a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.openinfosecfoundation.org</a><br>
> Subject: Re: [Oisf-users] Trouble with NFQUEUE IPS Mode<br>
> <br>
> On 18-11-15 12:34, Leonard Jacobs wrote:<br>
>> I did turn on ip forwarding but the only way I could get traffic <br>
>> flowing from ethernet port to ethernet was by enabling bridging between ports.<br>
>><br>
>> I thought bridging was wrong.<br>
> <br>
> It is for NFQUEUE, yes.<br>
> <br>
> Did you make sure the other hosts use this IPS box as their gateway?<br>
> <br>
> Cheers,<br>
> Victor<br>
> <br>
> <br>
> <br>
>><br>
>> Thanks.<br>
>><br>
>> Leonard<br>
>><br>
>><br>
>><br>
>> ------------------------------------------------------------------------<br>
>> *From:* Eric Leblond [mailto:<a href="mailto:eric@regit.org">eric@regit.org</a>]<br>
>> *To:* Leonard Jacobs [mailto:<a href="mailto:ljacobs@netsecuris.com">ljacobs@netsecuris.com</a>],<br>
>> <a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.openinfosecfoundation.org</a><br>
>> [mailto:<a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.openinfosecfoundation.org</a>]<br>
>> *Sent:* Wed, 18 Nov 2015 01:02:40 -0600<br>
>> *Subject:* Re: [Oisf-users] Trouble with NFQUEUE IPS Mode<br>
>><br>
>> Hi,<br>
>><br>
>> On Tue, 2015-11-17 at 18:11 -0600, Leonard Jacobs wrote:<br>
>> > I set up Suricata in NFQUEUE with the following IPTABLES<br>
>> > configuration:<br>
>> > <br>
>> > Chain INPUT (policy ACCEPT 107K packets, 152M bytes)<br>
>> > pkts bytes target prot opt in out source <br>
>> > destination<br>
>> > <br>
>> > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)<br>
>> > pkts bytes target prot opt in out source <br>
>> > destination<br>
>> > 0 0 NFQUEUE all -- p3p1 p2p1 0.0.0.0/0 <br>
>> > 0.0.0.0/0 NFQUEUE num 0<br>
>> > 0 0 NFQUEUE all -- p2p1 p3p1 0.0.0.0/0 <br>
>> > 0.0.0.0/0 NFQUEUE num 0<br>
>> > 0 0 NFQUEUE all -- p1p1 eth0 0.0.0.0/0 <br>
>> > 0.0.0.0/0 NFQUEUE num 0<br>
>> > 0 0 NFQUEUE all -- eth0 p1p1 0.0.0.0/0 <br>
>> > 0.0.0.0/0 NFQUEUE num 0<br>
>><br>
>> All counters are 0. So no traffic has been handle by Suricata. Did you<br>
>> activate ip_forward ?<br>
>><br>
>> ++<br>
>> -- <br>
>> Eric Leblond <<a href="mailto:eric@regit.org">eric@regit.org</a> <mailto:<a href="mailto:eric@regit.org">eric@regit.org</a>>><br>
>><br>
>><br>
>><br>
>><br>
>> _______________________________________________<br>
>> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
>> Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <br>
>> <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
>> List: <br>
>> <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
>> Suricata User Conference November 4 & 5 in Barcelona: <br>
>> <a href="http://oisfevents.net" target="_blank">http://oisfevents.net</a><br>
>><br>
> <br>
> <br>
> --<br>
> ---------------------------------------------<br>
> Victor Julien<br>
> <a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
> PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
> ---------------------------------------------<br>
> <br>
> _______________________________________________<br>
> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
> Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
> Suricata User Conference November 4 & 5 in Barcelona: <a href="http://oisfevents.net" target="_blank">http://oisfevents.net</a><br>
> <br>
<br>
<br>
-- <br>
---------------------------------------------<br>
Victor Julien<br>
<a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
---------------------------------------------<br>
<br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
Suricata User Conference November 4 & 5 in Barcelona: <a href="http://oisfevents.net" target="_blank">http://oisfevents.net</a></blockquote><style>
</style>
</body></html>