[Oisf-users] Questions on suricata configuration
Andreas Herz
andi at geekosphere.org
Tue Jan 20 14:30:04 UTC 2015
On 20/01/15 at 16:22, unite wrote:
> b) If my iptables rules are like this and the rule is set to "alert":
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 1 84 NFQUEUE all -- * * 172.25.25.0/24
> 0.0.0.0/0 NFQUEUE num 0
> 1 84 DROP icmp -- * * 0.0.0.0/0
> 0.0.0.0/0
> The alert is generated (in fast.log, drop.log is empty)and packet is being
> dropped. I'm pretty sure that it is the same packet - counters for
> packets/bytes increment simultaneously and on same values, and also my
> testing host is the only one in the testing network - no one can generate it
> except me.
That's strange, how do you start suricata in inline mode exactly?
(arguments)
I will check on my setup if i can reproduce it.
> My config at the moment is not far away from default - so here is the diff
> between them:
> sudo diff suricata-2.0.5/suricata.yaml /etc/suricata/suricata.yaml
I would encourage you to update to 2.0.6, there is a relevant bugfix.
I guess (to lazy to check) the enabled lines are the ones for logging?!
I'm not sure how the profile option changes the behaviour but the rest
looks fine.
> Thanks. If so (I mean the bug) will it be OK to just restart suricata by
> killing it's PID by kill $pid-of-suricata and then start it again? Or it
> might cause some bad consequences?
This is fine and is one thing i do, but with that you should consider
checkinf if the -S TERM worked. I have some issue with that and i'm
sending -9 after some seconds if suricata got stucked, to prevent
massive drop:
https://redmine.openinfosecfoundation.org/issues/1360
But not sure if i'm the only one with that issue.
--
Andreas Herz
More information about the Oisf-users
mailing list