[Discussion] Suricata 1.4.1 as an IPS : no logs in NFQUEUE mode

• Previous message (by thread): [Discussion] Suricata 1.4.1 as an IPS : no logs in NFQUEUE mode
• Next message (by thread): [Discussion] Suricata 1.4.1 as an IPS : no logs in NFQUEUE mode
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

af-packet is the other method to perform IPS without iptables. It has its own bridging built-in.  
   
See https://home.regit.org/2012/09/new-af_packet-ips-mode-in-suricata/.  
   
But if you want to use more than one thread you will need to use a Linux kernel greater than 3.5.  
   
Leonard
    _____  

  From: Victor Julien [mailto:lists at inliniac.net]
To: discussion at openinfosecfoundation.org
Sent: Tue, 09 Apr 2013 10:02:30 -0600
Subject: Re: [Discussion] Suricata 1.4.1 as an IPS : no logs in NFQUEUE mode

(in general, we use oisf-users for supporting user questions)

On 04/09/2013 04:11 PM, Michael Bouvy wrote:
> Hi everyone,
> 
> After a quick (and unsuccessful, because of poor perfs) experience with
> Snort few years ago, I recently discovered Suricata which seems to fit
> my needs.
> 
> I installed it on my Debian (5.0 Lenny) from sources (1.4.1) and after
> some configuration launched it : lots of log lines are now being written
> in http.log, fast.log, etc., it works fine.
> 
> As I'd like to use Suricata in IPS rather than IDS mode, I added a rule
> in my iptables confiration to redirect all incoming trafic on port
> HTTP/80 to NFQUEUE :
> 
> iptables -A INPUT -p tcp --dport 80 -j NFQUEUE

Add:
iptables -A OUTPUT -p tcp --sport 80 -j NFQUEUE

Otherwise you'll send only one side of the traffic to Suricata.

> 
> I then launched Suricata in NFQ mode (with -q 0, 0 matching the iptables
> rule), but I couldn't see any new line in my logs, despite packet
> quantity growing in iptables -vnL for the NFQUEUE rule, and in stats.log.
> 
> NFQ mode is set as 'accept' in Suricata's configuration file.
> 
> Is this a normal behavior of Suricata in NFQ mode ?

It is with your iptables rule :)

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

_______________________________________________
Discussion mailing list
Discussion at openinfosecfoundation.org
https://lists.openinfosecfoundation.org/mailman/listinfo/discussion
      
   
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/discussion/attachments/20130409/54a23d0d/attachment-0002.html>

• Previous message (by thread): [Discussion] Suricata 1.4.1 as an IPS : no logs in NFQUEUE mode
• Next message (by thread): [Discussion] Suricata 1.4.1 as an IPS : no logs in NFQUEUE mode
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]