[Oisf-users] suricata not functional in IPS mode

Victor Julien lists at inliniac.net
Sat Sep 5 09:48:46 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03-09-15 05:12, James Moe wrote:
> I built suricata to include its IPS mode. I followed the docs to
> set up iptables to allow suricata to filter the packet stream. I
> thought. Apparently not. After starting suricata in IPS mode I
> noticed that the <stats.log> shows nothing, zero, zip, has passed
> through suricata; and nothing is ever reportes in <fast.log>. The
> following shell script performs as expected to create the necessary
> command line. "Suricata-Main" consumes CPU (about 2% constantly,
> more than any other process). Where did I go wrong?

I think you should review the output of 'iptables -vnL'. Are the rules
created? Are the rule counters incremented?

INPUT and OUTPUT will only apply to local traffic. If you're looking
at making this box a gateway for other hosts, then you'll need the
FORWARD chain.

> 
> OPT1="-c /usr/local/etc/suricata/suricata.yaml"; OPT2="--pidfile
> ${PID}"; OPT3="-v";
> 
> GO_IPS=1; Q_INP="INPUT  -j NFQUEUE"; Q_OUT="OUTPUT -j NFQUEUE";
> 
> if [ 0 -eq $GO_IPS ] then # if monitor only mode: OPT4="-i eth0"; #
> Run in PCAP mode else # if NFQ mode: OPT4="-q 0"; # Run in NFQ mode
> using queue 0 fi
> 
> suri_start () { CMD="${SURI} ${OPT3} ${OPT2} ${OPT1} ${OPT4}"
> 
> ethtool --features eth0 rx off ethtool --features eth0 gro off 
> ethtool --offload eth0 rx off tx off
> 
> if [ 0 -gt $GO_IPS ]

If 0 is greater than 1? Don't think that will create rules.

> then iptables -I ${Q_INP} iptables -I ${Q_OUT} fi
> 

- -- 
- ---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
- ---------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQEcBAEBAgAGBQJV6rp+AAoJEMH0leOSaFa0YrcIAL+lE0MEng7GvCMKTTkLtJja
o+qTRHRR//MhNbWbfQoC+305IwZM10WVEmS8lTDETcDAPnwNvJC1EHdSMekazb5r
5k6W+ruWo+Jwl6LstOwCZqBcP9kOaA++RmzJHCUk49p884kP7M7wt4jNl0bjyIj1
ETgLhMV1emPlVD2UaWdqiL8drqsDvnnbiPXjAIG8zo1xjdAIgD/IN7LZP3AHa+Wu
lBrMLFjTwMnj3XfYRX3e5jp4qPxbm9rTcLp+L8V1JM/m0jGZPY5jK7dQRi8euUBD
S2Kivhv/K110XLenzfPyk6HPy+hVYgKwdPnMbc/tjZ7DwKIMZgkX9KMKH62VHYg=
=LLSY
-----END PGP SIGNATURE-----



More information about the Oisf-users mailing list