[Oisf-users] Questions on suricata configuration

unite unite at openmailbox.org
Tue Jan 20 16:08:17 UTC 2015 

Andreas,

I have checked it one more time. Both in daemon/non-daemon mode the 
packet gets passed to the second iptables rule. To be honest, the 
behaviour I observe satisfies me :) I'm just a bit worried that it could 
be a symptom of something going wrong...


On 2015-01-20 17:21, Andreas Herz wrote:
> On 20/01/15 at 17:05, unite wrote:
>> On 2015-01-20 16:30, Andreas Herz wrote:
>> >On 20/01/15 at 16:22, unite wrote:
>> >>b) If my iptables rules are like this and the rule is set to "alert":
>> >>Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>> >> pkts bytes target     prot opt in     out     source
>> >>destination
>> >>    1     84 NFQUEUE    all  --  *      *       172.25.25.0/24
>> >>0.0.0.0/0            NFQUEUE num 0
>> >>    1     84 DROP       icmp --  *      *       0.0.0.0/0
>> >>0.0.0.0/0
>> >>The alert is generated (in fast.log, drop.log is empty)and packet is
>> >>being
>> >>dropped. I'm pretty sure that it is the same packet - counters for
>> >>packets/bytes increment simultaneously and on same values, and also my
>> >>testing host is the only one in the testing network - no one can
>> >>generate it
>> >>except me.
>> >
>> >That's strange, how do you start suricata in inline mode exactly?
>> >(arguments)
>> >I will check on my setup if i can reproduce it.
>> >
>> 
>> I start it in the way:
>> 
>> sudo suricata -c /etc/suricata/suricata.yaml -q 0 -D
> 
> Hmm can you try it without -D to see if it's the daemon mode?
> There was some difference, not sure if it was this one :)
> 
> I checked it with my setup (without -D) and couldn't get anything.
> I did:
> 
> iptables -A IDS -j LOG --log-prefix="IDSTEST: "
> 
> But no packet got there, all got into the NFQEUE (which is before) and
> never came back.
> 
>> >>My config at the moment is not far away from default - so here is the
>> >>diff
>> >>between them:
>> >>sudo diff suricata-2.0.5/suricata.yaml /etc/suricata/suricata.yaml
>> >
>> >I would encourage you to update to 2.0.6, there is a relevant bugfix.
>> >
>> >I guess (to lazy to check) the enabled lines are the ones for logging?!
>> 
>> Yes, enabled yes/no lines are used for logging.
>> 
> 
> Then nothing should be wrong with this.
> 
>> >
>> >I'm not sure how the profile option changes the behaviour but the rest
>> >looks fine.
>> 
>> As I've read in the guide, it should increase performance in cost of
>> increased memory usage.
> 
> Just something you need to play around with.

-- 
With kind regards,
Alex

More information about the Oisf-users mailing list