<div dir="ltr">
<span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">Thanks for writing Giuseppe,</span><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">I have already installed the nflog packages you mentioned, via apt, but when I run the new command line, it throws a new error:</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><div># suricata -c /etc/suricata/suricata.yaml --nflog</div><div>26/4/2018 -- 13:03:06 - <Notice> - This is Suricata version 4.0.4 RELEASE</div><div>26/4/2018 -- 13:03:11 - <Error> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - initdata == NULL</div><div>26/4/2018 -- 13:03:11 - <Error> - [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "W#01-10" failed to initialize: flags 0145</div><div>26/4/2018 -- 13:03:11 - <Error> - [ERRCODE: SC_ERR_INITIALIZATION(45)] - Engine initialization failed, aborting...</div></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">Does --nflog require some kind of argument?</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">Pretty cryptic to me. Thanks for helping me take a look at this.</div>
<div><br></div>Kevin<div><br><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Apr 26, 2018 at 12:20 PM, Giuseppe Longo <span dir="ltr"><<a href="mailto:lists@glongo.it" target="_blank">lists@glongo.it</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello Kevin,<br>
<br>
On 25/04/2018 20:40, Kevin Branch wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Thanks everyone, it appears NFLOG is what best fits my need. Too bad it appears that the Launchpad Ubuntu 16.04 package comes with that option disabled. Anyway I slugged through pulling the deb-src, tweaking <a href="http://theconfigure.ac" rel="noreferrer" target="_blank">theconfigure.ac</a> <<a href="http://configure.ac/" rel="noreferrer" target="_blank">http://configure.ac/</a>>file to force NFLOG to be enabled, and then building and installing the new deb. I can confirm I have NFLOG support now:<span class=""><br>
<br>
# suricata -c /etc/suricata/suricata.yaml --build-info | grep NFLOG<br>
NFLOG support: yes<br>
<br>
<br>
but I can't yet invoke Suricata such that it uses NFLOG.<br>
</span></blockquote>
<br>
To enable NFLOG support in Suricata you need to install nflog package:<br>
apt-get install libnetfilter-log1 libnetfilter-log-dev<br>
should work in ubuntu since it works for debian.<br>
<br>
After that, you can run configure script enabling nflog:<br>
./configure --enable-nflog ...<br>
<br>
If you have built nflog from source code you have to specify the directory where nflog is installed:<br>
<br>
--with-libnetfilter_log-includ<wbr>es=DIR libnetfilter_log include directory<br>
--with-libnetfilter_log-librar<wbr>ies=DIR libnetfilter_log library directory<span class=""><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
I have the relevant section in suricata.yaml:<br>
<br>
nflog:<br>
# netlink multicast group<br>
# (the same as the iptables --nflog-group param)<br>
# Group 0 is used by the kernel, so you can't use it<br>
- group: 10<br>
# netlink buffer size<br>
buffer-size: 18432<br>
# put default value here<br>
- group: default<br>
# set number of packet to queue inside kernel<br>
qthreshold: 1<br>
# set the delay before flushing packet in the queue inside kernel<br>
qtimeout: 100<br>
# netlink max buffer size<br>
max-size: 20000<br>
<br>
<br>
I've tried variations of the following and am just not hitting pay dirt.<br>
<br>
# iptables -A INPUT -p tcp -m tcp --dport 80 -j NFLOG --nflog-group 10<br>
# suricata -c /etc/suricata/suricata.yaml -i nflog:10<br>
</blockquote>
<br></span>
Looks like your command is wrong. You should start suricata as below:<br>
suricata -c /etc/suricata/suricata.yaml --nflog<br>
<br>
You have already specified the nflog group, so you don't need to specify it in command line.<br>
<br>
This should fix your issue, please let me know if it doesn't work for you.<br>
<br>
Regards,<br>
Giuseppe<div class="HOEnZb"><div class="h5"><br>
<br>
______________________________<wbr>_________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundati<wbr>on.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/suppor<wbr>t/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfound<wbr>ation.org/mailman/listinfo/<wbr>oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/train<wbr>ing/</a></div></div></blockquote></div><br></div></div></div>