[Oisf-users] I did the installation of suricata as an IPS
Leonard Jacobs
ljacobs at netsecuris.com
Thu Jun 13 11:17:47 UTC 2013
I had the same problem. I was told that Suricata was only getting half the traffic and that I should use like below also.
sudo iptables -I FORWARD -o eth0 -i eth1 -j NFQUEUE
I think the order of the interfaces and packet direction is important to watch for.
Another way was:
sudo iptables -I FORWARD - m physdev --physdev-in eth0 --physdev-out eth1 -j NFQUEUE
sudo iptables -I FORWARD - m physdev --physdev-out eth0 --physdev-in eth1 -j NFQUEUE
I was told that af-packet IPS is more efficient and we use it for IPS mode.
https://home.regit.org/2012/09/new-af_packet-ips-mode-in-suricata/
I hope all of this helps. It did for us.
From: oisf-users-bounces at openinfosecfoundation.org [mailto:oisf-users-bounces at openinfosecfoundation.org] On Behalf Of mouna amani
Sent: Thursday, June 13, 2013 3:30 AM
To: oisf-users at openinfosecfoundation.org
Subject: [Oisf-users] I did the installation of suricata as an IPS
I used NFQ to use surricata as an IPS
I have three machines:
-a host1
-a host2
-an IPS between them
I followed the steps like in the official website
I used iptables -I FORWARD -i eth0 -o eth1 -j NFQUEUE
iptables -I FORWARD -i eth1 -o eth0 -j NFQUEUE and I check with iptables -vnL
Then I run suricata -c /etct/suricata/suricata.conf -q 0
Everthing went well .I only got a warning "no rules to be loaded from emerging-icmp.rules":I downloaded the file from web site and it is in the right place ".
I guess it is only a warning it will not effect the IPS working well ?
Then I tried to ping the host1 from host2 and I got the error destination unreachable .
I think the IPS is blocking all the trafic including the good want
I configured NFQ to work in accept/drop mode .I think it means that if the packets are for an attack they will be dropped ??
I really need help because this is for my final project .
What I did wrong and what should I check ?
--
Amani smiai
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130613/7bd20a07/attachment-0002.html>
More information about the Oisf-users
mailing list