[Oisf-users] Questions on suricata configuration

[Andreas Herz]

On 20/01/15 at 16:22, unite wrote:
> b) If my iptables rules are like this and the rule is set to "alert":
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>     1     84 NFQUEUE    all  --  *      *       172.25.25.0/24
> 0.0.0.0/0            NFQUEUE num 0
>     1     84 DROP       icmp --  *      *       0.0.0.0/0
> 0.0.0.0/0
> The alert is generated (in fast.log, drop.log is empty)and packet is being
> dropped. I'm pretty sure that it is the same packet - counters for
> packets/bytes increment simultaneously and on same values, and also my
> testing host is the only one in the testing network - no one can generate it
> except me.

That's strange, how do you start suricata in inline mode exactly?
(arguments)
I will check on my setup if i can reproduce it.

> My config at the moment is not far away from default - so here is the diff
> between them:
> sudo diff suricata-2.0.5/suricata.yaml /etc/suricata/suricata.yaml

I would encourage you to update to 2.0.6, there is a relevant bugfix.

I guess (to lazy to check) the enabled lines are the ones for logging?!

I'm not sure how the profile option changes the behaviour but the rest
looks fine.

> Thanks. If so (I mean the bug) will it be OK to just restart suricata by
> killing it's PID by kill $pid-of-suricata and then start it again? Or it
> might cause some bad consequences?

This is fine and is one thing i do, but with that you should consider
checkinf if the -S TERM worked. I have some issue with that and i'm
sending -9 after some seconds if suricata got stucked, to prevent
massive drop:

https://redmine.openinfosecfoundation.org/issues/1360

But not sure if i'm the only one with that issue.

-- 
Andreas Herz