[Oisf-users] suricata not functional in IPS mode
James Moe
jimoe at sohnen-moe.com
Thu Sep 3 03:12:55 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
suricata v1.0.8
linux 3.16.7-24-desktop x86_64
I built suricata to include its IPS mode. I followed the docs to set
up iptables to allow suricata to filter the packet stream. I thought.
Apparently not.
After starting suricata in IPS mode I noticed that the <stats.log>
shows nothing, zero, zip, has passed through suricata; and nothing is
ever reportes in <fast.log>.
The following shell script performs as expected to create the
necessary command line. "Suricata-Main" consumes CPU (about 2%
constantly, more than any other process).
Where did I go wrong?
OPT1="-c /usr/local/etc/suricata/suricata.yaml";
OPT2="--pidfile ${PID}";
OPT3="-v";
GO_IPS=1;
Q_INP="INPUT -j NFQUEUE";
Q_OUT="OUTPUT -j NFQUEUE";
if [ 0 -eq $GO_IPS ]
then
# if monitor only mode:
OPT4="-i eth0"; # Run in PCAP mode
else
# if NFQ mode:
OPT4="-q 0"; # Run in NFQ mode using queue 0
fi
suri_start () {
CMD="${SURI} ${OPT3} ${OPT2} ${OPT1} ${OPT4}"
ethtool --features eth0 rx off
ethtool --features eth0 gro off
ethtool --offload eth0 rx off tx off
if [ 0 -gt $GO_IPS ]
then
iptables -I ${Q_INP}
iptables -I ${Q_OUT}
fi
${CMD} > ${LOG}/verbose.log &
echo "Return value [$?]";
echo ${CMD}
}
suri_stop () {
CMD="No PID found";
if [ -f ${PID} ]
then
CMD="/usr/bin/kill -TERM $(cat ${PID})"
${CMD}
rm ${PID}
fi
echo ${CMD}
if [ 0 -gt $GO_IPS ]
then
iptables -D ${Q_INP}
iptables -D ${Q_OUT}
fi
}
- --
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iEYEARECAAYFAlXnurcACgkQzTcr8Prq0ZPhKQCdEf+7EZm11d7v4fW3QtfISl1w
ZNsAoKCjuUBmtbexbkkZ6KMVdLqBalvJ
=VMuG
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list