[Oisf-users] suricata not functional in IPS mode

[James Moe]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,
  suricata v1.0.8
  linux 3.16.7-24-desktop x86_64

  I built suricata to include its IPS mode. I followed the docs to set
up iptables to allow suricata to filter the packet stream. I thought.
Apparently not.
  After starting suricata in IPS mode I noticed that the <stats.log>
shows nothing, zero, zip, has passed through suricata; and nothing is
ever reportes in <fast.log>.
  The following shell script performs as expected to create the
necessary command line. "Suricata-Main" consumes CPU (about 2%
constantly, more than any other process).
  Where did I go wrong?

OPT1="-c /usr/local/etc/suricata/suricata.yaml";
OPT2="--pidfile ${PID}";
OPT3="-v";

GO_IPS=1;
Q_INP="INPUT  -j NFQUEUE";
Q_OUT="OUTPUT -j NFQUEUE";

if [ 0 -eq $GO_IPS ]
then
    # if monitor only mode:
    OPT4="-i eth0"; # Run in PCAP mode
else
    # if NFQ mode:
    OPT4="-q 0"; # Run in NFQ mode using queue 0
fi

suri_start () {
    CMD="${SURI} ${OPT3} ${OPT2} ${OPT1} ${OPT4}"

    ethtool --features eth0 rx off
    ethtool --features eth0 gro off
    ethtool --offload eth0 rx off tx off

    if [ 0 -gt $GO_IPS ]
    then
        iptables -I ${Q_INP}
        iptables -I ${Q_OUT}
    fi

    ${CMD} > ${LOG}/verbose.log &
    echo "Return value [$?]";
    echo ${CMD}
}

suri_stop () {
    CMD="No PID found";
    if [ -f ${PID} ]
    then
        CMD="/usr/bin/kill -TERM $(cat ${PID})"
        ${CMD}
        rm ${PID}
    fi
    echo ${CMD}

    if [ 0 -gt $GO_IPS ]
    then
        iptables -D ${Q_INP}
        iptables -D ${Q_OUT}
    fi
}


- -- 
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAlXnurcACgkQzTcr8Prq0ZPhKQCdEf+7EZm11d7v4fW3QtfISl1w
ZNsAoKCjuUBmtbexbkkZ6KMVdLqBalvJ
=VMuG
-----END PGP SIGNATURE-----