[Oisf-users] A question about using suricata as an IPS
carlopmart
carlopmart at gmail.com
Fri Apr 1 17:32:51 UTC 2011
On 04/01/2011 05:13 PM, carlopmart wrote:
> On 04/01/2011 05:07 PM, Victor Julien wrote:
>> On 04/01/2011 05:04 PM, carlopmart wrote:
>>> On 04/01/2011 05:01 PM, Victor Julien wrote:
>>>> On 04/01/2011 05:00 PM, carlopmart wrote:
>>>>> On 04/01/2011 04:53 PM, Victor Julien wrote:
>>>>>> There is no need at all to pass an interface to Suricata in this
>>>>>> case.
>>>>>> Suricata gets the packets from NFQueue 0 as told by "-q 0".
>>>>>>
>>>>>> Cheers,
>>>>>> Victor
>>>>>>
>>>>>
>>>>> Ok, but If I have several bridges in the same host, how can i
>>>>> configure
>>>>> suricata or iptables then??
>>>>>
>>>>> Thanks.
>>>>
>>>> You need to setup your iptables NFQUEUE rules in such a way that all
>>>> traffic you want to pass to Suricata is covered. Suricata just inspects
>>>> what ends up on queue 0.
>>>>
>>>
>>> Then, is this rule correct to pass only traffic from ipsif0?
>>>
>>> iptables -i ipsif0 -A FORWARD -j NFQUEUE --queue-num 0
>>>
>>
>> I'd say:
>>
>> iptables -A FORWARD -i ipsif0 -j NFQUEUE --queue-num 0
>> iptables -A FORWARD -o ipsif0 -j NFQUEUE --queue-num 0
>>
>> Cheers,
>> Victor
>
>
> OOpss .. Many thanks Victor.
>
>
Uhmm .. It doesn't works. I have tried:
a) iptables -i ipsif0 -A FORWARD -j NFQUEUE --queue-num 0
b) iptables -A FORWARD -i ipsif0 -j NFQUEUE --queue-num 0
iptables -A FORWARD -o ipsif0 -j NFQUEUE --queue-num 0
c) iptables -A FORWARD -j NFQUEUE --queue-num 0
With these rules, suricata doesn't see traffic. If I change "-q 0" to
"-i ipsif0", suricata sees traffic.
What am i doing wrong?? Suricata is 1.1beta1.
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
More information about the Oisf-users
mailing list