[Oisf-users] Trouble with NFQUEUE IPS Mode
Leonard Jacobs
ljacobs at netsecuris.com
Wed Nov 18 13:17:17 UTC 2015
Ok. Thanks. Can I suggest that the documentation in Suricata docs be updated to reflect that NFQUEUE mode requires IP addresses and not assume people will understand this should be like a router. Because I found a web page where NFQUEUE mode was configured with bridging.
Thanks.
Leonard Jacobs, MBA, CISSP, CSSA
President/CEO
Netsecuris Inc.
P 952-641-1421 ext. 20
http://www.netsecuris.com
_____
From: Victor Julien [mailto:lists at inliniac.net]
To: oisf-users at lists.openinfosecfoundation.org
Sent: Wed, 18 Nov 2015 07:08:34 -0600
Subject: Re: [Oisf-users] Trouble with NFQUEUE IPS Mode
On 18-11-15 13:08, Leonard Jacobs wrote:
> I did create the iptables rules with NFQUEUE. But then you are saying the IPS appliance should be like a router with IP address set on the outer Ethernet port.
>
> Here is a drawing of what I am trying to accomplish. There are 4 ethernet ports on IPS Appliance. I want to have the IPS on both sides of the firewall.
>
> Router <---------->IPS Appliance<------------>SonicWALL firewall<--------->IPS appliance<-------------->LAN Switch
> PortA PortB PortC PortD
>
> To get data flowing, I had bridged PortA to PortB as well as PortC to PortD. Will Suricata in NFQUEUE mode not see the traffic from the pairs of ports using the iptables rules I created?
>
> I prefer to use AF_PACKET mode to accomplish this because I know it works but in this case there seems to be an incompatibility with the SonicWALL firewall so VPN connections drop and some traffic stops flowing. So I am trying to find an IPS alternative to AF_Packet mode.
>
> Are you saying I need to have IP addresses on all 4 ethernet ports so NFQUEUE will work without turning bridging on?
>
I would suggest setting up the router first without Suricata. To do this
you'd use ACCEPT rules instead of NFQUEUE rules. Once that
routing/iptables setup works, add Suricata to the mix.
To set up a router, you will indeed need proper ip addresses and all.
Thats what the routing needs.
Cheers,
Victor
> Thanks.
>
> Leonard
>
> -----Original Message-----
> From: Oisf-users [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of Victor Julien
> Sent: Wednesday, November 18, 2015 5:41 AM
> To: oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] Trouble with NFQUEUE IPS Mode
>
> On 18-11-15 12:34, Leonard Jacobs wrote:
>> I did turn on ip forwarding but the only way I could get traffic
>> flowing from ethernet port to ethernet was by enabling bridging between ports.
>>
>> I thought bridging was wrong.
>
> It is for NFQUEUE, yes.
>
> Did you make sure the other hosts use this IPS box as their gateway?
>
> Cheers,
> Victor
>
>
>
>>
>> Thanks.
>>
>> Leonard
>>
>>
>>
>> ------------------------------------------------------------------------
>> *From:* Eric Leblond [mailto:eric at regit.org]
>> *To:* Leonard Jacobs [mailto:ljacobs at netsecuris.com],
>> oisf-users at lists.openinfosecfoundation.org
>> [mailto:oisf-users at lists.openinfosecfoundation.org]
>> *Sent:* Wed, 18 Nov 2015 01:02:40 -0600
>> *Subject:* Re: [Oisf-users] Trouble with NFQUEUE IPS Mode
>>
>> Hi,
>>
>> On Tue, 2015-11-17 at 18:11 -0600, Leonard Jacobs wrote:
>> > I set up Suricata in NFQUEUE with the following IPTABLES
>> > configuration:
>> >
>> > Chain INPUT (policy ACCEPT 107K packets, 152M bytes)
>> > pkts bytes target prot opt in out source
>> > destination
>> >
>> > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>> > pkts bytes target prot opt in out source
>> > destination
>> > 0 0 NFQUEUE all -- p3p1 p2p1 0.0.0.0/0
>> > 0.0.0.0/0 NFQUEUE num 0
>> > 0 0 NFQUEUE all -- p2p1 p3p1 0.0.0.0/0
>> > 0.0.0.0/0 NFQUEUE num 0
>> > 0 0 NFQUEUE all -- p1p1 eth0 0.0.0.0/0
>> > 0.0.0.0/0 NFQUEUE num 0
>> > 0 0 NFQUEUE all -- eth0 p1p1 0.0.0.0/0
>> > 0.0.0.0/0 NFQUEUE num 0
>>
>> All counters are 0. So no traffic has been handle by Suricata. Did you
>> activate ip_forward ?
>>
>> ++
>> --
>> Eric Leblond <eric at regit.org <mailto:eric at regit.org>>
>>
>>
>>
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support:
>> http://suricata-ids.org/support/
>> List:
>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 4 & 5 in Barcelona:
>> http://oisfevents.net
>>
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151118/3222dded/attachment-0002.html>
More information about the Oisf-users
mailing list