[Oisf-users] Suricata don't operate in Inline mode(-q option) on Fedora 14 box

김윤기 ykkim at trinitysoft.co.kr
Thu Apr 14 09:01:44 UTC 2011 

Hi, I need Your Help!!

I have x64 fedora 14 for suricata IPS

I prepared following:
sudo yum -y install libpcap libpcap-devel libnet libnet-devel pcre \
pcre-devel gcc gcc-c++ automake autoconf libtool make libyaml \
libyaml-devel zlib zlib-devel libcap-ng libcap-ng-devel

and manually install HTP: ~~

and install netfilter library for IPS
sudo yum -y install libnfnetlink libnfnetlink-devel \
libnetfilter_queue libnetfilter_queue-devel


and download and build Suricata, enter the following:
git clone git://phalanx.openinfosecfoundation.org/oisf.git
cd oisf; ./autogen.sh; ./configure --enable-nfqueue; make; sudo make install

and make environment following:

mkdir /etc/suricata/
cp ./{*.config,*.yaml} /etc/suricata/
sudo mkdir /var/log/suricata
and download rules using oinkmaster
and edit suricata.yaml about rules, HOME_NET etc.

suricata --build-info
[4998] 14/4/2011 -- 18:00:50 - (suricata.c:551) <Info> (main) -- This is
Suricata version 1.1beta2 (rev d9e5413)
[4998] 14/4/2011 -- 18:00:50 - (suricata.c:436) <Info> (SCPrintBuildInfo) --
Features: *NFQ* IPFW PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 LIBCAP_NG
LIBNET1.1
[4998] 14/4/2011 -- 18:00:50 - (suricata.c:450) <Info> (SCPrintBuildInfo) --
64-bits, Little-endian architecture
[4998] 14/4/2011 -- 18:00:50 - (suricata.c:452) <Info> (SCPrintBuildInfo) --
GCC version 4.5.1 20100924 (Red Hat 4.5.1-4), C version 199901
[4998] 14/4/2011 -- 18:00:50 - (suricata.c:458) <Info> (SCPrintBuildInfo) --
__GCC_HAVE_SYNC_COMPARE_AND_SWAP_1
[4998] 14/4/2011 -- 18:00:50 - (suricata.c:461) <Info> (SCPrintBuildInfo) --
__GCC_HAVE_SYNC_COMPARE_AND_SWAP_2
[4998] 14/4/2011 -- 18:00:50 - (suricata.c:464) <Info> (SCPrintBuildInfo) --
__GCC_HAVE_SYNC_COMPARE_AND_SWAP_4
[4998] 14/4/2011 -- 18:00:50 - (suricata.c:467) <Info> (SCPrintBuildInfo) --
__GCC_HAVE_SYNC_COMPARE_AND_SWAP_8
[4998] 14/4/2011 -- 18:00:50 - (suricata.c:470) <Info> (SCPrintBuildInfo) --
__GCC_HAVE_SYNC_COMPARE_AND_SWAP_16

ok now!!

run following:
suricata -c /etc/suricata/suricata.yaml -i eth0 -q 0

But I have Following Error
----------------------------------------------------------------------------------------------------------------------------
[4997] 14/4/2011 -- 17:48:58 - (suricata.c:551) <Info> (main) -- This is
Suricata version 1.1beta2 (rev d9e5413)
[4997] 14/4/2011 -- 17:48:58 - (suricata.c:816) <Error> (main) -- [ERRCODE:
SC_ERR_MULTIPLE_RUN_MODE(124)] - more than one run mode has been specified


^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Suricata 1.1beta2 (rev d9e5413)
USAGE: suricata

        -c <path>                    : path to configuration file
        -i <dev or ip>               : run in pcap live mode
        -r <path>                    : run in pcap file/offline mode
        -q <qid>                     : run in inline nfqueue mode
        -d <divert port>             : run in inline ipfw divert mode
        -s <path>                    : path to signature file (optional)
        -l <dir>                     : default log directory
        -D                           : run as daemon
        --list-runmodes              : list supported runmodes
        --runmode <runmode_id>       : specific runmode modification the
engine should run.  The argument
                                       supplied should be the id for the
runmode obtained by running
                                       --list-runmodes
        --engine-analysis            : print reports on analysis of
different sections in the engine and exit.
                                       Please have a look at the conf
parameter engine-analysis on what reports
                                       can be printed
        --pidfile <file>             : write pid to this file (only for
daemon mode)
        --init-errors-fatal          : enable fatal failure on signature
init error
        --dump-config                : show the running configuration
        --pcap-buffer-size           : size of the pcap buffer value from 0
- 2147483647
        --user <user>                : run suricata as this user after init
        --group <group>              : run suricata as this group after init
        --erf-in <path>              : process an ERF file


To run the engine with default configuration on interface eth0 with
signature file "signatures.rules", run the command as:

suricata -c suricata.yaml -s signatures.rules -i eth0
----------------------------------------------------------------------------------------------------------------------------

But without -q option It's OK(disable inline)
suricata -c /etc/suricata/suricata.yaml -i eth0

What's wrong?
Let me know please!!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20110414/1102873d/attachment-0002.html>

More information about the Oisf-users mailing list