[Oisf-users] Inline Securita

[Phil Daws]

I see packets being passed to NFQUEUE:

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 6218 1632K NFQUEUE    all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0           NFQUEUE num 0

but is there any way to see what Suricata is doing with them ? I have it running in foreground but all it says is:

suricata -vvvvv -c /usr/local/etc/suricata/suricata.yaml -q 0
...
...
10/2/2014 -- 17:39:42 - <Notice> - all 5 packet processing threads, 3 management threads initialized, engine started.

Thanks.


----- Original Message -----
From: "Phil Daws" <uxbod at splatnix.net>
To: oisf-users at lists.openinfosecfoundation.org
Sent: Monday, 10 February, 2014 5:33:16 PM
Subject: [Oisf-users] Inline Securita

Hello all,

am taking my first tiny steps in setting up Securita on a home brewed firewall.  I have built Securita and downloaded the ET sigs using PulledPork; I think!

within my iptables configuration I have defined multiple chains for performing different actions, plus have multiple interfaces defining networks ie.

eth0 -> public
eth1 -> dmz
eth2 -> internal

according to the documentation, IIRC, one would add the following:

iptables -I FORWARD -j NFQUEUE

as I have multiple networks are wish to protect the public facing I presume I would use something like:

iptables -I FORWARD 1 -i eth0 -j NFQUEUE

so that any new inbound traffic would initially be sent to the NFQUEUE and if clean would be returned back to the FORWARD queue for further processing.  Does that make sense please ?

Thank you.

_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
OISF: http://www.openinfosecfoundation.org/