[Oisf-users] Inline Securita

Phil Daws uxbod at splatnix.net
Mon Feb 10 18:09:57 UTC 2014

I see packets being passed to NFQUEUE:

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 6218 1632K NFQUEUE    all  --  eth0   eth1             NFQUEUE num 0

but is there any way to see what Suricata is doing with them ? I have it running in foreground but all it says is:

suricata -vvvvv -c /usr/local/etc/suricata/suricata.yaml -q 0
10/2/2014 -- 17:39:42 - <Notice> - all 5 packet processing threads, 3 management threads initialized, engine started.


----- Original Message -----
From: "Phil Daws" <uxbod at splatnix.net>
To: oisf-users at lists.openinfosecfoundation.org
Sent: Monday, 10 February, 2014 5:33:16 PM
Subject: [Oisf-users] Inline Securita

Hello all,

am taking my first tiny steps in setting up Securita on a home brewed firewall.  I have built Securita and downloaded the ET sigs using PulledPork; I think!

within my iptables configuration I have defined multiple chains for performing different actions, plus have multiple interfaces defining networks ie.

eth0 -> public
eth1 -> dmz
eth2 -> internal

according to the documentation, IIRC, one would add the following:

iptables -I FORWARD -j NFQUEUE

as I have multiple networks are wish to protect the public facing I presume I would use something like:

iptables -I FORWARD 1 -i eth0 -j NFQUEUE

so that any new inbound traffic would initially be sent to the NFQUEUE and if clean would be returned back to the FORWARD queue for further processing.  Does that make sense please ?

Thank you.

Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
OISF: http://www.openinfosecfoundation.org/

More information about the Oisf-users mailing list