[Oisf-users] Unable to run Suricata in the IPS mode

Alex Pavlov manhunt234 at hotmail.com
Sat Jul 5 20:39:28 UTC 2014 

Dear Open Information Security Foundation team,


I followed this guide to setup Suricata:


https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ubuntu_Installation


I made sure I had the “—enable-nfqueue” option included during
the “configure” procedure. I checked if I had NFQ enabled in Suricata after the installation
by entering the following command:


suricata –build-info


This is what I got:


NFQueue support:  no


I tried running Suricata in the NFQ mode by entering the
following:


sudo suricata -c /etc/suricata/suricata.yaml -q 0


I got the following error message:


30/6/2014 -- 19:08:17 - <Error> - [ERRCODE:
SC_ERR_NFQ_NOSUPPORT(67)] - NFQUEUE not enabled. Make sure to pass
--enable-nfqueue to configure when building.


The reason I want Suricata to work in the IPS mode is
because I would like the following rule to run in the drop mode:


drop tcp !$MODBUS_CLIENT any -> $MODBUS_SERVER 502
(flow:from_client,established; content:"|00 00|"; offset:2; depth:2;
pcre:"/[\S\s]{3}(\x01|\x02|\x03|\x04|\x07|\x0B|\x0C|\x11|\x14|\x17|\x18|\x2B)/iAR";
msg:"SCADA_IDS: Modbus TCP - Unauthorized Read Request to a PLC";
reference:url,digitalbond.com/tools/quickdraw/modbus-tcp-rules;
classtype:bad-unknown; sid:1111006; rev:1; priority:2;)
As far as I understand I can’t just change the rule mode from “alert” to “drop”. I have to setup ip tables that require NFQ to be enabled in the first place.


I also tried configuring the following in the suricata.yaml file:


# a line based information for dropped packets in IPS mode

  - drop:

      enabled: yes


I’m not sure if it is mandatory to enable drop in the
suricata.yaml file. 




The Suricata version is 2.0.2 running on Ubuntu 12.04.


There must be something simple that I’m missing, maybe some
option that I haven’t enabled, but because I’m very new to Linux I just can’t
figure out the problem. I tried reinstalling Suricata several times and made
sure I followed the guide precisely. 


Looking forward to your reply


Regards,

Alex 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140705/c3259157/attachment.html>

More information about the Oisf-users mailing list