[Discussion] Suricata 1.4.1 as an IPS : no logs in NFQUEUE mode

• Previous message (by thread): [Discussion] Suricata 1.4.1 as an IPS : no logs in NFQUEUE mode
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thanks a lot Victor and Leonard for your quick replies, and sorry for 
the wrong mailing-list.

It works fine now !

Regards,

Michael

Le 09/04/2013 17:41, Leonard Jacobs a écrit :

> af-packet is the other method to perform IPS without iptables. It has 
> its
> own bridging built-in.
>
> See 
> https://home.regit.org/2012/09/new-af_packet-ips-mode-in-suricata/
> [2].
>
> But if you want to use more than one thread you will need to use a 
> Linux
> kernel greater than 3.5.
>
> Leonard
>
> -------------------------
> FROM: Victor Julien [mailto:lists at inliniac.net]
> TO: discussion at openinfosecfoundation.org
> SENT: Tue, 09 Apr 2013 10:02:30 -0600
> SUBJECT: Re: [Discussion] Suricata 1.4.1 as an IPS : no logs in 
> NFQUEUE
> mode
>
> (in general, we use oisf-users for supporting user questions)
>
> On 04/09/2013 04:11 PM, Michael Bouvy wrote:
>> Hi everyone,
>>
>> After a quick (and unsuccessful, because of poor perfs) experience 
>> with
>> Snort few years ago, I recently discovered Suricata which seems to 
>> fit
>> my needs.
>>
>> I installed it on my Debian (5.0 Lenny) from sources (1.4.1) and 
>> after
>> some configuration launched it : lots of log lines are now being
> written
>> in http.log, fast.log, etc., it works fine.
>>
>> As I'd like to use Suricata in IPS rather than IDS mode, I added a 
>> rule
>> in my iptables confiration to redirect all incoming trafic on port
>> HTTP/80 to NFQUEUE :
>>
>> iptables -A INPUT -p tcp --dport 80 -j NFQUEUE
>
> Add:
> iptables -A OUTPUT -p tcp --sport 80 -j NFQUEUE
>
> Otherwise you'll send only one side of the traffic to Suricata.
>
>>
>> I then launched Suricata in NFQ mode (with -q 0, 0 matching the
> iptables
>> rule), but I couldn't see any new line in my logs, despite packet
>> quantity growing in iptables -vnL for the NFQUEUE rule, and in
> stats.log.
>>
>> NFQ mode is set as 'accept' in Suricata's configuration file.
>>
>> Is this a normal behavior of Suricata in NFQ mode ?
>
> It is with your iptables rule :)
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/ [3]
> PGP: http://www.inliniac.net/victorjulien.asc [4]
> ---------------------------------------------
>
> _______________________________________________
> Discussion mailing list
> Discussion at openinfosecfoundation.org
> https://lists.openinfosecfoundation.org/mailman/listinfo/discussion 
> [1]
>
> _______________________________________________
> Discussion mailing list
> Discussion at openinfosecfoundation.org
> https://lists.openinfosecfoundation.org/mailman/listinfo/discussion 
> [1]


Links:
------
[1] https://lists.openinfosecfoundation.org/mailman/listinfo/discussion
[2] https://home.regit.org/2012/09/new-af_packet-ips-mode-in-suricata/
[3] http://www.inliniac.net/
[4] http://www.inliniac.net/victorjulien.asc

• Previous message (by thread): [Discussion] Suricata 1.4.1 as an IPS : no logs in NFQUEUE mode
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]