[Oisf-users] I did the installation of suricata as an IPS
Victor Julien
lists at inliniac.net
Thu Jun 13 09:53:16 UTC 2013
On 06/13/2013 10:30 AM, mouna amani wrote:
> I used NFQ to use surricata as an IPS
> I have three machines:
> -a host1
> -a host2
> -an IPS between them
>
> I followed the steps like in the official website
> I used iptables -I FORWARD -i eth0 -o eth1 -j NFQUEUE
> iptables -I FORWARD -i eth1 -o eth0 -j NFQUEUE and I check with iptables
> -vnL
>
> Then I run suricata -c /etct/suricata/suricata.conf -q 0
> Everthing went well .I only got a warning "no rules to be loaded from
> emerging-icmp.rules":I downloaded the file from web site and it is in
> the right place ".
> I guess it is only a warning it will not effect the IPS working well ?
> Then I tried to ping the host1 from host2 and I got the error
> destination unreachable .
> I think the IPS is blocking all the trafic including the good want
> I configured NFQ to work in accept/drop mode .I think it means that if
> the packets are for an attack they will be dropped ??
> I really need help because this is for my final project .
> What I did wrong and what should I check ?
The first thing to do is make sure Suricata actually sees the packets. 2
things to check:
iptables -vnL will show you packet counters on each rule. The nfqueue
rules should be non-zero
Suricata's stats.log will show you packet counts as well.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list