[Discussion] Suricata 1.4.1 as an IPS : no logs in NFQUEUE mode

• Next message (by thread): [Discussion] Suricata 1.4.1 as an IPS : no logs in NFQUEUE mode
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi everyone,

After a quick (and unsuccessful, because of poor perfs) experience with 
Snort few years ago, I recently discovered Suricata which seems to fit 
my needs.

I installed it on my Debian (5.0 Lenny) from sources (1.4.1) and after 
some configuration launched it : lots of log lines are now being written 
in http.log, fast.log, etc., it works fine.

As I'd like to use Suricata in IPS rather than IDS mode, I added a rule 
in my iptables confiration to redirect all incoming trafic on port 
HTTP/80 to NFQUEUE :

iptables -A INPUT -p tcp --dport 80 -j NFQUEUE

I then launched Suricata in NFQ mode (with -q 0, 0 matching the 
iptables rule), but I couldn't see any new line in my logs, despite 
packet quantity growing in iptables -vnL for the NFQUEUE rule, and in 
stats.log.

NFQ mode is set as 'accept' in Suricata's configuration file.

Is this a normal behavior of Suricata in NFQ mode ?

Thanks a lot in advance for your help.

Regards,

Michael

• Next message (by thread): [Discussion] Suricata 1.4.1 as an IPS : no logs in NFQUEUE mode
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]