<div dir="ltr">When I add this rule <div><i>iptables <span style="font-size:12.8px">-A INPUT -m mark ! --mark 1/1 -j NFQUEUE</span></i></div><div><br></div><div><span style="font-size:12.8px">suricata.yaml with</span></div><div><span style="font-size:12.8px">nfq:</span><br style="font-size:12.8px"><span style="font-size:12.8px"> mode: </span><span style="font-size:12.8px;background-color:rgb(106,168,79)">repeat</span><br style="font-size:12.8px"><span style="font-size:12.8px"> repeat-mark: 1</span><br style="font-size:12.8px"><span style="font-size:12.8px"> repeat-mask: 1</span></div><div> # route-queue: 2<br style="font-size:12.8px"><span style="font-size:12.8px"> batchcount: 20</span><br style="font-size:12.8px"><span style="font-size:12.8px"> fail-open: no</span><br></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">when I try to start Suricata</span></div><div><span style="font-size:12.8px">suricata -c /etc/suricata/suricata.yaml -i eth0 -vv -D -q 0</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">I get an error stating that "more than one run mode has been specified..."</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">I can't see any other run modes I have set in suricata.yaml other than "mode: repeat" but I am not sure what I am looking for.</span></div><div><span style="font-size:12.8px"> </span></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, May 22, 2017 at 1:46 PM, Dominic Ruggiero <span dir="ltr"><<a href="mailto:dominic1011@gmail.com" target="_blank">dominic1011@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Thanks to all who have been participating in the recent threads about<br>
Suricata Repeat Mode for your expertise!<br>
<br>
Suricata is now running on my hosts in Repeat Mode with no packet<br>
errors in suricata.log.<br>
<br>
- LXTerminal commands:<br>
<br>
sudo iptables -I INPUT -m mark ! --mark 1/1 -j NFQUEUE<br>
sudo iptables -I OUTPUT -m mark ! --mark 1/1 -j NFQUEUE<br>
sudo suricata -c /etc/suricata/suricata.yaml -q 0<br>
<br>
- Relevant suricata.log output (note the Errors 0!):<br>
<br>
(RX-Q0) Treated: Pkts 33144, Bytes 13638158, Errors 0<br>
(RX-Q0) Verdict: Accepted 33133, Dropped 10, Replaced 0<br>
<br>
- sudo iptables -vnL --line-numbers:<br>
<br>
Chain INPUT (policy DROP 0 packets, 0 bytes)<br>
num pkts bytes target prot opt in out source<br>
destination<br>
1 2980 1405K NFQUEUE all -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> mark match ! 0x1/0x1 NFQUEUE num 0<br>
2 4344 1516K ufw-before-logging-input all -- * *<br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
3 4344 1516K ufw-before-input all -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
4 0 0 ufw-after-input all -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
5 0 0 ufw-after-logging-input all -- * *<br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
6 0 0 ufw-reject-input all -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
7 0 0 ufw-track-input all -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<br>
Chain FORWARD (policy DROP 0 packets, 0 bytes)<br>
num pkts bytes target prot opt in out source<br>
destination<br>
1 0 0 ufw-before-logging-forward all -- * *<br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
2 0 0 ufw-before-forward all -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
3 0 0 ufw-after-forward all -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
4 0 0 ufw-after-logging-forward all -- * *<br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
5 0 0 ufw-reject-forward all -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
6 0 0 ufw-track-forward all -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<br>
Chain OUTPUT (policy ACCEPT 5 packets, 200 bytes)<br>
num pkts bytes target prot opt in out source<br>
destination<br>
1 2895 806K NFQUEUE all -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> mark match ! 0x1/0x1 NFQUEUE num 0<br>
2 3909 887K ufw-before-logging-output all -- * *<br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
3 3909 887K ufw-before-output all -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
4 97 8448 ufw-after-output all -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
5 97 8448 ufw-after-logging-output all -- * *<br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
6 97 8448 ufw-reject-output all -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
7 97 8448 ufw-track-output all -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<br>
Chain ufw-after-forward (1 references)<br>
num pkts bytes target prot opt in out source<br>
destination<br>
<br>
Chain ufw-after-input (1 references)<br>
num pkts bytes target prot opt in out source<br>
destination<br>
1 0 0 ufw-skip-to-policy-input udp -- * *<br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> udp dpt:137<br>
2 0 0 ufw-skip-to-policy-input udp -- * *<br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> udp dpt:138<br>
3 0 0 ufw-skip-to-policy-input tcp -- * *<br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> tcp dpt:139<br>
4 0 0 ufw-skip-to-policy-input tcp -- * *<br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> tcp dpt:445<br>
5 0 0 ufw-skip-to-policy-input udp -- * *<br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> udp dpt:67<br>
6 0 0 ufw-skip-to-policy-input udp -- * *<br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> udp dpt:68<br>
7 0 0 ufw-skip-to-policy-input all -- * *<br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> ADDRTYPE match dst-type<br>
BROADCAST<br>
<br>
Chain ufw-after-logging-forward (1 references)<br>
num pkts bytes target prot opt in out source<br>
destination<br>
1 0 0 LOG all -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> limit: avg 3/min burst 10 LOG flags 0 level 4<br>
prefix "[UFW BLOCK] "<br>
<br>
Chain ufw-after-logging-input (1 references)<br>
num pkts bytes target prot opt in out source<br>
destination<br>
1 0 0 LOG all -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> limit: avg 3/min burst 10 LOG flags 0 level 4<br>
prefix "[UFW BLOCK] "<br>
<br>
Chain ufw-after-logging-output (1 references)<br>
num pkts bytes target prot opt in out source<br>
destination<br>
<br>
Chain ufw-after-output (1 references)<br>
num pkts bytes target prot opt in out source<br>
destination<br>
<br>
Chain ufw-before-forward (1 references)<br>
num pkts bytes target prot opt in out source<br>
destination<br>
1 0 0 ACCEPT all -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> ctstate RELATED,ESTABLISHED<br>
2 0 0 ACCEPT icmp -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> icmptype 3<br>
3 0 0 ACCEPT icmp -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> icmptype 4<br>
4 0 0 ACCEPT icmp -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> icmptype 11<br>
5 0 0 ACCEPT icmp -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> icmptype 12<br>
6 0 0 ACCEPT icmp -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> icmptype 8<br>
7 0 0 ufw-user-forward all -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<br>
Chain ufw-before-input (1 references)<br>
num pkts bytes target prot opt in out source<br>
destination<br>
1 1334 107K ACCEPT all -- lo * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
2 2973 1404K ACCEPT all -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> ctstate RELATED,ESTABLISHED<br>
3 0 0 ufw-logging-deny all -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> ctstate INVALID<br>
4 0 0 DROP all -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> ctstate INVALID<br>
5 0 0 ACCEPT icmp -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> icmptype 3<br>
6 0 0 ACCEPT icmp -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> icmptype 4<br>
7 0 0 ACCEPT icmp -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> icmptype 11<br>
8 0 0 ACCEPT icmp -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> icmptype 12<br>
9 0 0 ACCEPT icmp -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> icmptype 8<br>
10 0 0 ACCEPT udp -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> udp spt:67 dpt:68<br>
11 37 4877 ufw-not-local all -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
12 37 4877 ACCEPT udp -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
224.0.0.251 udp dpt:5353<br>
13 0 0 ACCEPT udp -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
239.255.255.250 udp dpt:1900<br>
14 0 0 ufw-user-input all -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<br>
Chain ufw-before-logging-forward (1 references)<br>
num pkts bytes target prot opt in out source<br>
destination<br>
<br>
Chain ufw-before-logging-input (1 references)<br>
num pkts bytes target prot opt in out source<br>
destination<br>
<br>
Chain ufw-before-logging-output (1 references)<br>
num pkts bytes target prot opt in out source<br>
destination<br>
<br>
Chain ufw-before-output (1 references)<br>
num pkts bytes target prot opt in out source<br>
destination<br>
1 1340 107K ACCEPT all -- * lo <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
2 2472 771K ACCEPT all -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> ctstate RELATED,ESTABLISHED<br>
3 97 8448 ufw-user-output all -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<br>
Chain ufw-logging-allow (0 references)<br>
num pkts bytes target prot opt in out source<br>
destination<br>
1 0 0 LOG all -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> limit: avg 3/min burst 10 LOG flags 0 level 4<br>
prefix "[UFW ALLOW] "<br>
<br>
Chain ufw-logging-deny (2 references)<br>
num pkts bytes target prot opt in out source<br>
destination<br>
1 0 0 RETURN all -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> ctstate INVALID limit: avg 3/min burst 10<br>
2 0 0 LOG all -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> limit: avg 3/min burst 10 LOG flags 0 level 4<br>
prefix "[UFW BLOCK] "<br>
<br>
Chain ufw-not-local (1 references)<br>
num pkts bytes target prot opt in out source<br>
destination<br>
1 0 0 RETURN all -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> ADDRTYPE match dst-type LOCAL<br>
2 37 4877 RETURN all -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> ADDRTYPE match dst-type MULTICAST<br>
3 0 0 RETURN all -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> ADDRTYPE match dst-type BROADCAST<br>
4 0 0 ufw-logging-deny all -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> limit: avg 3/min burst 10<br>
5 0 0 DROP all -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<br>
Chain ufw-reject-forward (1 references)<br>
num pkts bytes target prot opt in out source<br>
destination<br>
<br>
Chain ufw-reject-input (1 references)<br>
num pkts bytes target prot opt in out source<br>
destination<br>
<br>
Chain ufw-reject-output (1 references)<br>
num pkts bytes target prot opt in out source<br>
destination<br>
<br>
Chain ufw-skip-to-policy-forward (0 references)<br>
num pkts bytes target prot opt in out source<br>
destination<br>
1 0 0 DROP all -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<br>
Chain ufw-skip-to-policy-input (7 references)<br>
num pkts bytes target prot opt in out source<br>
destination<br>
1 0 0 DROP all -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<br>
Chain ufw-skip-to-policy-output (0 references)<br>
num pkts bytes target prot opt in out source<br>
destination<br>
1 0 0 ACCEPT all -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<br>
Chain ufw-track-forward (1 references)<br>
num pkts bytes target prot opt in out source<br>
destination<br>
<br>
Chain ufw-track-input (1 references)<br>
num pkts bytes target prot opt in out source<br>
destination<br>
<br>
Chain ufw-track-output (1 references)<br>
num pkts bytes target prot opt in out source<br>
destination<br>
1 42 2520 ACCEPT tcp -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> ctstate NEW<br>
2 50 5728 ACCEPT udp -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> ctstate NEW<br>
<br>
Chain ufw-user-forward (1 references)<br>
num pkts bytes target prot opt in out source<br>
destination<br>
<br>
Chain ufw-user-input (1 references)<br>
num pkts bytes target prot opt in out source<br>
destination<br>
<br>
Chain ufw-user-limit (0 references)<br>
num pkts bytes target prot opt in out source<br>
destination<br>
1 0 0 LOG all -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> limit: avg 3/min burst 5 LOG flags 0 level 4<br>
prefix "[UFW LIMIT BLOCK] "<br>
2 0 0 REJECT all -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> reject-with icmp-port-unreachable<br>
<br>
Chain ufw-user-limit-accept (0 references)<br>
num pkts bytes target prot opt in out source<br>
destination<br>
1 0 0 ACCEPT all -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<br>
Chain ufw-user-logging-forward (0 references)<br>
num pkts bytes target prot opt in out source<br>
destination<br>
<br>
Chain ufw-user-logging-input (0 references)<br>
num pkts bytes target prot opt in out source<br>
destination<br>
<br>
Chain ufw-user-logging-output (0 references)<br>
num pkts bytes target prot opt in out source<br>
destination<br>
<br>
Chain ufw-user-output (1 references)<br>
num pkts bytes target prot opt in out source<br>
destination<br>
<br>
<br>
Thanks Again,<br>
<br>
Dominic Ruggiero<br>
<div class="HOEnZb"><div class="h5"><br>
<br>
<br>
On Mon, May 22, 2017 at 10:03 AM, David Sussens <<a href="mailto:dsussens@gmail.com">dsussens@gmail.com</a>> wrote:<br>
> Stan, that mechanism is exactly what I have described. This feature has been<br>
> available for quite some time now.<br>
><br>
> Good luck with your implementation.<br>
><br>
> David Sussens.<br>
><br>
> On 22 May 2017 17:14, "Stanford Prescott" <<a href="mailto:stan.prescott@gmail.com">stan.prescott@gmail.com</a>> wrote:<br>
>><br>
>> Thank you, David. That should be very helpful. I think I got confused by<br>
>> the article I read which I am thinking is a new feature that has been added<br>
>> to suricata which appears to be a way of marking traffic with different<br>
>> marks to return to iptables to process depending on what the mark is.<br>
>> Perhaps like both traffic to be accepted and dropped are returned to<br>
>> iptables to be processed depending on what the mark is?<br>
>><br>
>> On Mon, May 22, 2017 at 4:26 AM, David Sussens <<a href="mailto:dsussens@gmail.com">dsussens@gmail.com</a>> wrote:<br>
>>><br>
>>> Basically what needs to be done is the following:<br>
>>><br>
>>> 1. In iptables:<br>
>>><br>
>>> -A INPUT -m mark ! --mark 1/1 -j NFQUEUE --queue-balance 0:3<br>
>>> --queue-bypass<br>
>>><br>
>>> You add the rule above. This rule works as follows:<br>
>>><br>
>>> Traffic that is does not have a mark/mask of 1/1 is forwarded to suricata<br>
>>> for processing. Once Suricata is finished processing, the traffic is<br>
>>> reinjected into the INPUT chain but this time the mark 1/1 is set, which<br>
>>> means on the second round the trafffic is not forwarded to suricata and will<br>
>>> skip on to the rules lower down in the INPUT chain. Remember that traffic<br>
>>> is only reinjected if it was not dropped by Suricata. Thus, your marking<br>
>>> does not have to be specified in the suricata rules at all and it is<br>
>>> business as usual from that prespective.<br>
>>><br>
>>> 2. in suricata.yaml:<br>
>>><br>
>>> nfq:<br>
>>> mode: repeat<br>
>>> repeat-mark: 1<br>
>>> repeat-mask: 1<br>
>>> route-queue: 2<br>
>>> batchcount: 20<br>
>>> fail-open: no<br>
>>><br>
>>> You change the nfq mode from accept to repeat this causes packets that<br>
>>> were not rejected by Suricata to be reinjected into the appropriate chain.<br>
>>><br>
>>> This is how I am using it. In my case I am doing this to ensure that<br>
>>> traffic is first checked by Suricata, and then goes to the local Apache<br>
>>> Inverse Proxy.<br>
>>><br>
>>> Hope this helps.<br>
>>><br>
>>> David Sussens.<br>
>>><br>
>>><br>
>>><br>
>>><br>
>>> On Sun, May 21, 2017 at 10:04 PM, Stanford Prescott<br>
>>> <<a href="mailto:stan.prescott@gmail.com">stan.prescott@gmail.com</a>> wrote:<br>
>>>><br>
>>>> I ma trying to integrate Suricata 3.2.1 into our iptables firewall in<br>
>>>> IPS mode. We have have been using Snort in IDS mode but wanted to provide<br>
>>>> more filtering options. I like the possibility of using Suricata in IPS mode<br>
>>>> using nfq in repeat mode to return marked packets to the iptables table that<br>
>>>> sent the packets to Suricata for further processing. Snort doesn't seem to<br>
>>>> do this so we are trying to make the switch to Suricata.<br>
>>>><br>
>>>> I've been doing a lot of research to figure all of this out. I have read<br>
>>>> this excellent article about nfq and nfq_set_mark.<br>
>>>> <a href="https://home.regit.org/tag/suricata/page/4/" rel="noreferrer" target="_blank">https://home.regit.org/tag/<wbr>suricata/page/4/</a><br>
>>>><br>
>>>> To use iptables with mark and mask, the article indicates that the<br>
>>>> "nfq_set_mark" keyword needs to be added to the Suricata rules. How do I<br>
>>>> determine to what rules I add the keyword? Would I just add the keyword to<br>
>>>> every rule that Suricata is using as listed in suricata.yaml? Or is there a<br>
>>>> recommended set of rules to add the keyword? Or are there rule sets<br>
>>>> available that already have the keyword added to the rules?<br>
>>>><br>
>>>> Is Suricata able to set a mark for packets to be accepted and set a<br>
>>>> different mark for packets that need to be dropped or rejected?<br>
>>>><br>
>>>> Any other tips and suggestions for getting Suricata working in IPS mode<br>
>>>> working with iptables would be much appreciated.<br>
>>>><br>
>>>> ______________________________<wbr>_________________<br>
>>>> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@<wbr>openinfosecfoundation.org</a><br>
>>>> Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support:<br>
>>>> <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>support/</a><br>
>>>> List:<br>
>>>> <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>
>>>><br>
>>><br>
>><br>
>><br>
>> ______________________________<wbr>_________________<br>
>> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@<wbr>openinfosecfoundation.org</a><br>
>> Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>support/</a><br>
>> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>
>><br>
><br>
> ______________________________<wbr>_________________<br>
> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@<wbr>openinfosecfoundation.org</a><br>
> Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>support/</a><br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>
><br>
</div></div></blockquote></div><br></div>