<div dir="ltr">

<span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">Thanks everyone, it appears NFLOG is what best fits my need.  Too bad it appears that the Launchpad Ubuntu 16.04 package comes with that option disabled.  Anyway I slugged through pulling the deb-src, tweaking the<span> </span></span><a href="http://configure.ac/" target="_blank" style="color:rgb(17,85,204);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255)">configure.ac</a><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><span> </span>file to force NFLOG to be enabled, and then building and installing the new deb.  I can confirm I have NFLOG support now:</span><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><blockquote style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;margin:0px 0px 0px 40px;border:none;padding:0px"><div><div># suricata -c /etc/suricata/suricata.yaml --build-info | grep NFLOG</div></div><div><div>  NFLOG support:                           yes</div></div></blockquote><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">but I can't yet invoke Suricata such that it uses NFLOG.</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">I have the relevant section in suricata.yaml:</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div>nflog:</div><div>    # netlink multicast group</div><div>    # (the same as the iptables --nflog-group param)</div><div>    # Group 0 is used by the kernel, so you can't use it</div><div>  - group: 10</div><div>    # netlink buffer size</div><div>    buffer-size: 18432</div><div>    # put default value here</div><div>  - group: default</div><div>    # set number of packet to queue inside kernel</div><div>    qthreshold: 1</div><div>    # set the delay before flushing packet in the queue inside kernel</div><div>    qtimeout: 100</div><div>    # netlink max buffer size</div><div>    max-size: 20000</div></blockquote></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><div>I've tried variations of the following and am just not hitting pay dirt.  </div><div><br></div></div><blockquote style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;margin:0px 0px 0px 40px;border:none;padding:0px"><div><div># iptables -A INPUT -p tcp -m tcp --dport 80 -j NFLOG --nflog-group 10</div></div><div><div># suricata -c /etc/suricata/suricata.yaml -i nflog:10</div></div><div><div>25/4/2018 -- 14:25:08 - <Notice> - This is Suricata version 4.0.4 RELEASE</div></div><div><div>25/4/2018 -- 14:25:08 - <Warning> - [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to get MTU via ioctl for 'nflog:10': No such device (19)</div></div><div><div>25/4/2018 -- 14:25:08 - <Warning> - [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to get MTU via ioctl for 'nflog:10': No such device (19)</div></div><div><div>25/4/2018 -- 14:25:13 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Unable to find type for iface "nflog:10": No such device</div></div><div><div>25/4/2018 -- 14:25:13 - <Notice> - all 1 packet processing threads, 4 management threads initialized, engine started.</div></div><div><div>25/4/2018 -- 14:25:13 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Unable to find iface nflog:10: No such device</div></div><div><div>25/4/2018 -- 14:25:13 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error</div></div><div><div>25/4/2018 -- 14:25:13 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - thread W#01-nflog:10 failed</div></div></blockquote><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">NFLOG itself seems to be working:</div><blockquote style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;margin:0px 0px 0px 40px;border:none;padding:0px"><div><div><br></div><div># tcpdump -i nflog:10 -nn</div></div><div><div>tcpdump: verbose output suppressed, use -v or -vv for full protocol decode</div></div><div><div>listening on nflog:10, link-type NFLOG (Linux netfilter log messages), capture size 262144 bytes</div></div></blockquote><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">but I just can't seem to work out the proper way to call Suricata.  Please give me a hand with the syntax for that.</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">I have scrubbed the Googlesphere and my findings are very lean on this topic.</div>

<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Apr 25, 2018 at 5:54 AM, Victor Julien <span dir="ltr"><<a href="mailto:lists@inliniac.net" target="_blank">lists@inliniac.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 23-04-18 04:26, Kevin Branch wrote:<br>
> Hi all,<br>
> <br>
> I've used Suricata for years but always on a dedicated NIDS server for<br>
> inspecting traffic behind a network firewall.  Now I am trying a local<br>
> install of Suricata on a Linux cloud server whose traffic I want to<br>
> inspect.  The server uses iptables to block all incoming connections<br>
> other than http/https.  My problem is that Suricata is generating lots<br>
> of alerts about incoming connection attempts (scanning noise) that<br>
> iptables is blocking anyway, which I would rather not hear about.<br>
> <br>
> Is there a way to make Suricata ignore packets that have already been<br>
> dropped by the local iptables?  I've toyed with the idea of using the<br>
> iptables tee facility to pump a subset of eth0 traffic to a dummy0<br>
> interface and then having Suricata inspect that instead, but I thought<br>
> I'd check in here to see if anyone has a better approach already working<br>
> for them.<br>
<br>
</span>I guess there would be 2 possibilities:<br>
<br>
1. use a bpf to have suri only look at those open ports: 'tcp port 80<br>
and tcp port 443'<br>
<br>
2. use Suricata in NFLOG mode: like with NFQUEUE this can be used to<br>
steer traffic to Suricata from iptables. Unlike NFQUEUE, NFLOG is passive.<br>
<span class="HOEnZb"><font color="#888888"><br>
-- <br>
------------------------------<wbr>---------------<br>
Victor Julien<br>
<a href="http://www.inliniac.net/" rel="noreferrer" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" rel="noreferrer" target="_blank">http://www.inliniac.net/<wbr>victorjulien.asc</a><br>
------------------------------<wbr>---------------<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
______________________________<wbr>_________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@<wbr>openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/<wbr>training/</a></div></div></blockquote></div><br></div>