[Oisf-users] Unable to run Suricata in the IPS mode

Sun Jul 6 16:55:59 UTC 2014

I fixed the problem. I followed this guide instead to
install Suricata:

http://suricata-ids.org/category/distribution/

The commands that I entered:

sudo apt-get update
&& sudo apt-get upgrade

sudo add-apt-repository
ppa:oisf/suricata-stable

sudo
apt-get update

sudo
apt-get install suricata

sudo mkdir /var/log/suricata

I then configured the suricata.yaml file with the correct
network settings.

The NFQ support was enabled and I was able to run Suricata
in the NFQ mode. 

I’m not sure why the NFQ support was disabled previously. Like
I said I’m very new to Linux.

I haven’t created iptables yet nor have I tried to block any
attacks by using my rules. I will do that a bit later.

Regards,

Alex 
From: manhunt234 at hotmail.com
To: oisf-users at lists.openinfosecfoundation.org
Date: Sat, 5 Jul 2014 20:39:28 +0000
Subject: [Oisf-users] Unable to run Suricata in the IPS mode

Dear Open Information Security Foundation team,

I followed this guide to setup Suricata:

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ubuntu_Installation

I made sure I had the “—enable-nfqueue” option included during
the “configure” procedure. I checked if I had NFQ enabled in Suricata after the installation
by entering the following command:

suricata –build-info

This is what I got:

NFQueue support:  no

I tried running Suricata in the NFQ mode by entering the
following:

sudo suricata -c /etc/suricata/suricata.yaml -q 0

I got the following error message:

30/6/2014 -- 19:08:17 - <Error> - [ERRCODE:
SC_ERR_NFQ_NOSUPPORT(67)] - NFQUEUE not enabled. Make sure to pass
--enable-nfqueue to configure when building.

The reason I want Suricata to work in the IPS mode is
because I would like the following rule to run in the drop mode:

drop tcp !$MODBUS_CLIENT any -> $MODBUS_SERVER 502
(flow:from_client,established; content:"|00 00|"; offset:2; depth:2;
pcre:"/[\S\s]{3}(\x01|\x02|\x03|\x04|\x07|\x0B|\x0C|\x11|\x14|\x17|\x18|\x2B)/iAR";
msg:"SCADA_IDS: Modbus TCP - Unauthorized Read Request to a PLC";
reference:url,digitalbond.com/tools/quickdraw/modbus-tcp-rules;
classtype:bad-unknown; sid:1111006; rev:1; priority:2;)
As far as I understand I can’t just change the rule mode from “alert” to “drop”. I have to setup ip tables that require NFQ to be enabled in the first place.

I also tried configuring the following in the suricata.yaml file:

# a line based information for dropped packets in IPS mode

  - drop:

      enabled: yes

I’m not sure if it is mandatory to enable drop in the
suricata.yaml file. 

The Suricata version is 2.0.2 running on Ubuntu 12.04.

There must be something simple that I’m missing, maybe some
option that I haven’t enabled, but because I’m very new to Linux I just can’t
figure out the problem. I tried reinstalling Suricata several times and made
sure I followed the guide precisely. 

Looking forward to your reply

Regards,

Alex 		 	   		  

_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
OISF: http://www.openinfosecfoundation.org/ 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140706/340d69df/attachment-0002.html>