<div dir="ltr"><div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sun, Mar 31, 2019 at 7:26 AM Kaushal Shriyan <<a href="mailto:kaushalshriyan@gmail.com">kaushalshriyan@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Mar 30, 2019 at 9:14 PM Kaushal Shriyan <<a href="mailto:kaushalshriyan@gmail.com" target="_blank">kaushalshriyan@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi,<div><br></div><div>I am running Suricata 4.1.3 on CentOS Linux release 7.6.1810 (Core) and have configured Suricata in IDS mode. I will appreciate if you can help me to configure IPS and NSM in Suricata.</div><div><br></div><div>Thanks in advance and i look forward to hearing from you.</div><div><br></div><div>Best Regards,</div><div><br></div><div>Kaushal</div></div></blockquote><div><br></div><div><br></div><div>Hi,</div><div><br></div><div>I have the below settings for Suricata</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"># <span class="gmail-m_1313848857087537042gmail-gr_ gmail-m_1313848857087537042gmail-gr_66 gmail-m_1313848857087537042gmail-gr-alert gmail-m_1313848857087537042gmail-gr_spell gmail-m_1313848857087537042gmail-gr_inline_cards gmail-m_1313848857087537042gmail-gr_run_anim gmail-m_1313848857087537042gmail-ContextualSpelling gmail-m_1313848857087537042gmail-ins-del gmail-m_1313848857087537042gmail-multiReplace" id="gmail-m_1313848857087537042gmail-66" style="display:inline;border-bottom:2px solid transparent;background-repeat:no-repeat;color:inherit;font-size:inherit">suricata</span> --build-info<br>This is Suricata version 4.1.3 RELEASE<br>Features: NFQ PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LIBJANSSON TLS MAGIC RUST<br>SIMD support: none<br>Atomic <span class="gmail-m_1313848857087537042gmail-gr_ gmail-m_1313848857087537042gmail-gr_67 gmail-m_1313848857087537042gmail-gr-alert gmail-m_1313848857087537042gmail-gr_spell gmail-m_1313848857087537042gmail-gr_inline_cards gmail-m_1313848857087537042gmail-gr_run_anim gmail-m_1313848857087537042gmail-ContextualSpelling gmail-m_1313848857087537042gmail-ins-del gmail-m_1313848857087537042gmail-multiReplace" id="gmail-m_1313848857087537042gmail-67" style="display:inline;border-bottom:2px solid transparent;background-repeat:no-repeat;color:inherit;font-size:inherit">intrisics</span>: 1 2 4 8 byte(s)<br>64-bits, Little-endian architecture<br>GCC version 4.8.5 20150623 (Red Hat 4.8.5-36), C version 199901<br>compiled with _FORTIFY_SOURCE=2<br>L1 cache line size (CLS)=64<br>thread local storage method: __thread<br>compiled with LibHTP v0.5.30, linked against LibHTP v0.5.30<br>Suricata Configuration:<br>  AF_PACKET support:                       yes<br>  eBPF support:                            no<br>  XDP support:                             no<br>  PF_RING support:                         no<br>  NFQueue support:                         yes<br>  NFLOG support:                           no<br>  IPFW support:                            no<br>  Netmap support:                          no<br>  DAG enabled:                             no<br>  Napatech enabled:                        no<br>  WinDivert enabled:                       no<br>  Unix socket enabled:                     yes<br>  Detection enabled:                       yes<br>  Libmagic support:                        yes<br>  <span class="gmail-m_1313848857087537042gmail-gr_ gmail-m_1313848857087537042gmail-gr_70 gmail-m_1313848857087537042gmail-gr-alert gmail-m_1313848857087537042gmail-gr_spell gmail-m_1313848857087537042gmail-gr_inline_cards gmail-m_1313848857087537042gmail-gr_run_anim gmail-m_1313848857087537042gmail-ContextualSpelling" id="gmail-m_1313848857087537042gmail-70" style="display:inline;border-bottom:2px solid transparent;background-repeat:no-repeat;color:inherit;font-size:inherit">libnss</span> support:                          yes<br>  <span class="gmail-m_1313848857087537042gmail-gr_ gmail-m_1313848857087537042gmail-gr_71 gmail-m_1313848857087537042gmail-gr-alert gmail-m_1313848857087537042gmail-gr_spell gmail-m_1313848857087537042gmail-gr_inline_cards gmail-m_1313848857087537042gmail-gr_run_anim gmail-m_1313848857087537042gmail-ContextualSpelling" id="gmail-m_1313848857087537042gmail-71" style="display:inline;border-bottom:2px solid transparent;background-repeat:no-repeat;color:inherit;font-size:inherit">libnspr</span> support:                         yes<br>  <span class="gmail-m_1313848857087537042gmail-gr_ gmail-m_1313848857087537042gmail-gr_72 gmail-m_1313848857087537042gmail-gr-alert gmail-m_1313848857087537042gmail-gr_spell gmail-m_1313848857087537042gmail-gr_inline_cards gmail-m_1313848857087537042gmail-gr_run_anim gmail-m_1313848857087537042gmail-ContextualSpelling" id="gmail-m_1313848857087537042gmail-72" style="display:inline;border-bottom:2px solid transparent;background-repeat:no-repeat;color:inherit;font-size:inherit">libjansson</span> support:                      yes<br>  <span class="gmail-m_1313848857087537042gmail-gr_ gmail-m_1313848857087537042gmail-gr_73 gmail-m_1313848857087537042gmail-gr-alert gmail-m_1313848857087537042gmail-gr_spell gmail-m_1313848857087537042gmail-gr_inline_cards gmail-m_1313848857087537042gmail-gr_run_anim gmail-m_1313848857087537042gmail-ContextualSpelling" id="gmail-m_1313848857087537042gmail-73" style="display:inline;border-bottom:2px solid transparent;background-repeat:no-repeat;color:inherit;font-size:inherit">liblzma</span> support:                         no<br>  <span class="gmail-m_1313848857087537042gmail-gr_ gmail-m_1313848857087537042gmail-gr_68 gmail-m_1313848857087537042gmail-gr-alert gmail-m_1313848857087537042gmail-gr_spell gmail-m_1313848857087537042gmail-gr_inline_cards gmail-m_1313848857087537042gmail-gr_run_anim gmail-m_1313848857087537042gmail-ContextualSpelling gmail-m_1313848857087537042gmail-ins-del gmail-m_1313848857087537042gmail-multiReplace" id="gmail-m_1313848857087537042gmail-68" style="display:inline;border-bottom:2px solid transparent;background-repeat:no-repeat;color:inherit;font-size:inherit">hiredis</span> support:                         yes<br>  <span class="gmail-m_1313848857087537042gmail-gr_ gmail-m_1313848857087537042gmail-gr_69 gmail-m_1313848857087537042gmail-gr-alert gmail-m_1313848857087537042gmail-gr_spell gmail-m_1313848857087537042gmail-gr_inline_cards gmail-m_1313848857087537042gmail-gr_run_anim gmail-m_1313848857087537042gmail-ContextualSpelling gmail-m_1313848857087537042gmail-ins-del gmail-m_1313848857087537042gmail-multiReplace" id="gmail-m_1313848857087537042gmail-69" style="display:inline;border-bottom:2px solid transparent;background-repeat:no-repeat;color:inherit;font-size:inherit">hiredis</span> async with <span class="gmail-m_1313848857087537042gmail-gr_ gmail-m_1313848857087537042gmail-gr_74 gmail-m_1313848857087537042gmail-gr-alert gmail-m_1313848857087537042gmail-gr_spell gmail-m_1313848857087537042gmail-gr_inline_cards gmail-m_1313848857087537042gmail-gr_run_anim gmail-m_1313848857087537042gmail-ContextualSpelling" id="gmail-m_1313848857087537042gmail-74" style="display:inline;border-bottom:2px solid transparent;background-repeat:no-repeat;color:inherit;font-size:inherit">libevent</span>:             yes<br>  Prelude support:                         yes<br>  PCRE jit:                                yes<br>  LUA support:                             yes<br>  <span class="gmail-m_1313848857087537042gmail-gr_ gmail-m_1313848857087537042gmail-gr_75 gmail-m_1313848857087537042gmail-gr-alert gmail-m_1313848857087537042gmail-gr_spell gmail-m_1313848857087537042gmail-gr_inline_cards gmail-m_1313848857087537042gmail-gr_run_anim gmail-m_1313848857087537042gmail-ContextualSpelling" id="gmail-m_1313848857087537042gmail-75" style="display:inline;border-bottom:2px solid transparent;background-repeat:no-repeat;color:inherit;font-size:inherit">libluajit</span>:                               no<br>  <span class="gmail-m_1313848857087537042gmail-gr_ gmail-m_1313848857087537042gmail-gr_76 gmail-m_1313848857087537042gmail-gr-alert gmail-m_1313848857087537042gmail-gr_spell gmail-m_1313848857087537042gmail-gr_inline_cards gmail-m_1313848857087537042gmail-gr_run_anim gmail-m_1313848857087537042gmail-ContextualSpelling" id="gmail-m_1313848857087537042gmail-76" style="display:inline;border-bottom:2px solid transparent;background-repeat:no-repeat;color:inherit;font-size:inherit">libgeoip</span>:                                yes<br>  Non-bundled <span class="gmail-m_1313848857087537042gmail-gr_ gmail-m_1313848857087537042gmail-gr_77 gmail-m_1313848857087537042gmail-gr-alert gmail-m_1313848857087537042gmail-gr_spell gmail-m_1313848857087537042gmail-gr_inline_cards gmail-m_1313848857087537042gmail-gr_run_anim gmail-m_1313848857087537042gmail-ContextualSpelling" id="gmail-m_1313848857087537042gmail-77" style="display:inline;border-bottom:2px solid transparent;background-repeat:no-repeat;color:inherit;font-size:inherit">htp</span>:                         no<br>  Old barnyard2 support:                   no<br>  Hyperscan support:                       yes<br>  Libnet support:                          yes<br>  liblz4 support:                          yes<br>  Rust support:                            yes (default)<br>  Rust strict mode:                        no<br>  Rust debug mode:                         no<br>  Rust compiler:                           <span class="gmail-m_1313848857087537042gmail-gr_ gmail-m_1313848857087537042gmail-gr_63 gmail-m_1313848857087537042gmail-gr-alert gmail-m_1313848857087537042gmail-gr_spell gmail-m_1313848857087537042gmail-gr_inline_cards gmail-m_1313848857087537042gmail-gr_run_anim gmail-m_1313848857087537042gmail-ContextualSpelling gmail-m_1313848857087537042gmail-ins-del gmail-m_1313848857087537042gmail-multiReplace" id="gmail-m_1313848857087537042gmail-63" style="display:inline;border-bottom:2px solid transparent;background-repeat:no-repeat;color:inherit;font-size:inherit">rustc</span> 1.32.0<br>  Rust cargo:                              cargo 1.32.0<br>  Install <span class="gmail-m_1313848857087537042gmail-gr_ gmail-m_1313848857087537042gmail-gr_65 gmail-m_1313848857087537042gmail-gr-alert gmail-m_1313848857087537042gmail-gr_spell gmail-m_1313848857087537042gmail-gr_inline_cards gmail-m_1313848857087537042gmail-gr_run_anim gmail-m_1313848857087537042gmail-ContextualSpelling gmail-m_1313848857087537042gmail-ins-del gmail-m_1313848857087537042gmail-multiReplace" id="gmail-m_1313848857087537042gmail-65" style="display:inline;border-bottom:2px solid transparent;background-repeat:no-repeat;color:inherit;font-size:inherit">suricatasc</span>:                      yes<br>  Install <span class="gmail-m_1313848857087537042gmail-gr_ gmail-m_1313848857087537042gmail-gr_64 gmail-m_1313848857087537042gmail-gr-alert gmail-m_1313848857087537042gmail-gr_spell gmail-m_1313848857087537042gmail-gr_inline_cards gmail-m_1313848857087537042gmail-gr_run_anim gmail-m_1313848857087537042gmail-ContextualSpelling gmail-m_1313848857087537042gmail-ins-del gmail-m_1313848857087537042gmail-multiReplace" id="gmail-m_1313848857087537042gmail-64" style="display:inline;border-bottom:2px solid transparent;background-repeat:no-repeat;color:inherit;font-size:inherit">suricata</span>-update:                 yes<br>  Profiling enabled:                       no<br>  Profiling locks enabled:                 no<br>Development settings:<br>  Coccinelle / spatch:                     no<br>  Unit tests enabled:                      no<br>  Debug output enabled:                    no<br>  Debug validation enabled:                no<br>Generic build parameters:<br>  Installation prefix:                     /usr<br>  Configuration directory:                 /etc/suricata/<br>  Log directory:                           /var/log/suricata/<br>  --prefix                                 /usr<br>  --sysconfdir                             /etc<br>  --localstatedir                          /var<br>  --datarootdir                            /usr/share<br>  Host:                                    x86_64-redhat-linux-gnu<br>  Compiler:                                gcc -std=gnu99 (exec name) / gcc (real)<br>  GCC Protect enabled:                     yes<br>  GCC march native enabled:                no<br>  GCC Profile enabled:                     no<br>  Position Independent Executable enabled: yes<br>  CFLAGS                                   -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic -I${srcdir}/../rust/gen/c-headers<br>  PCAP_CFLAGS<br>  SECCFLAGS                                -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security<br>#</blockquote><div><br></div><div>Please comment.</div><div><br></div><div>Best Regards, </div><div><br></div><div>Kaushal</div></div></div></blockquote><div><br></div><div>Hi,</div><div><br></div><div># suricata --list-runmodes</div><div>------------------------------------- Runmodes ------------------------------------------</div><div>| RunMode Type      | Custom Mode       | Description</div><div>|----------------------------------------------------------------------------------------</div><div>| PCAP_DEV          | single            | Single threaded pcap live mode</div><div>|                   ---------------------------------------------------------------------</div><div>|                   | autofp            | Multi threaded pcap live mode.  Packets from each flow are assigned to a single detect thread, unlike "pcap_live_auto" where packets from the same flow can be processed by any detect thread</div><div>|                   ---------------------------------------------------------------------</div><div>|                   | workers           | Workers pcap live mode, each thread does all tasks from acquisition to logging</div><div>|----------------------------------------------------------------------------------------</div><div>| PCAP_FILE         | single            | Single threaded pcap file mode</div><div>|                   ---------------------------------------------------------------------</div><div>|                   | autofp            | Multi threaded pcap file mode.  Packets from each flow are assigned to a single detect thread, unlike "pcap-file-auto" where packets from the same flow can be processed by any detect thread</div><div>|----------------------------------------------------------------------------------------</div><div>| PFRING(DISABLED)  | autofp            | Multi threaded pfring mode.  Packets from each flow are assigned to a single detect thread, unlike "pfring_auto" where packets from the same flow can be processed by any detect thread</div><div>|                   ---------------------------------------------------------------------</div><div>|                   | single            | Single threaded pfring mode</div><div>|                   ---------------------------------------------------------------------</div><div>|                   | workers           | Workers pfring mode, each thread does all tasks from acquisition to logging</div><div>|----------------------------------------------------------------------------------------</div><div>| NFQ               | autofp            | Multi threaded NFQ IPS mode with respect to flow</div><div>|                   ---------------------------------------------------------------------</div><div>|                   | workers           | Multi queue NFQ IPS mode with one thread per queue</div><div>|----------------------------------------------------------------------------------------</div><div>| NFLOG             | autofp            | Multi threaded nflog mode</div><div>|                   ---------------------------------------------------------------------</div><div>|                   | single            | Single threaded nflog mode</div><div>|                   ---------------------------------------------------------------------</div><div>|                   | workers           | Workers nflog mode</div><div>|----------------------------------------------------------------------------------------</div><div>| IPFW              | autofp            | Multi threaded IPFW IPS mode with respect to flow</div><div>|                   ---------------------------------------------------------------------</div><div>|                   | workers           | Multi queue IPFW IPS mode with one thread per queue</div><div>|----------------------------------------------------------------------------------------</div><div>| ERF_FILE          | single            | Single threaded ERF file mode</div><div>|                   ---------------------------------------------------------------------</div><div>|                   | autofp            | Multi threaded ERF file mode.  Packets from each flow are assigned to a single detect thread</div><div>|----------------------------------------------------------------------------------------</div><div>| ERF_DAG           | autofp            | Multi threaded DAG mode.  Packets from each flow are assigned to a single detect thread, unlike "dag_auto" where packets from the same flow can be processed by any detect thread</div><div>|                   ---------------------------------------------------------------------</div><div>|                   | single            | Singled threaded DAG mode</div><div>|                   ---------------------------------------------------------------------</div><div>|                   | workers           | Workers DAG mode, each thread does all  tasks from acquisition to logging</div><div>|----------------------------------------------------------------------------------------</div><div>| AF_PACKET_DEV     | single            | Single threaded af-packet mode</div><div>|                   ---------------------------------------------------------------------</div><div>|                   | workers           | Workers af-packet mode, each thread does all tasks from acquisition to logging</div><div>|                   ---------------------------------------------------------------------</div><div>|                   | autofp            | Multi socket AF_PACKET mode.  Packets from each flow are assigned to a single detect thread.</div><div>|----------------------------------------------------------------------------------------</div><div>| NETMAP(DISABLED)  | single            | Single threaded netmap mode</div><div>|                   ---------------------------------------------------------------------</div><div>|                   | workers           | Workers netmap mode, each thread does all tasks from acquisition to logging</div><div>|                   ---------------------------------------------------------------------</div><div>|                   | autofp            | Multi threaded netmap mode.  Packets from each flow are assigned to a single detect thread.</div><div>|----------------------------------------------------------------------------------------</div><div>| UNIX_SOCKET       | single            | Unix socket mode</div><div>|                   ---------------------------------------------------------------------</div><div>|                   | autofp            | Unix socket mode</div><div>|----------------------------------------------------------------------------------------</div><div>| WINDIVERT(DISABLED) | autofp            | Multi-threaded WinDivert IPS mode load-balanced by flow</div><div>|----------------------------------------------------------------------------------------</div><div><br></div><div>Best Regards,</div><div><br></div><div>Kaushal </div></div></div></div>