[Oisf-users] suricata signatures on wheezy

Victor Julien lists at inliniac.net
Tue Jan 26 21:29:21 UTC 2016 

Back to the list. More inline.

On 26-01-16 21:08, John Devine wrote:
> Thanks for your reply. I reinstalled and messed with it a bit and got it running with no errors in IPS mode using # suricata -c /etc/suricata/suricata-debian.yaml -q 0 -D -vv --init-errors-fatal. Everything looks to be in order only all the logs are empty and no traffic appears to be going through suricata.
>
> I tried these two iptables rules to forward traffic but still it appears no traffic is being seen by suricata.
>
>      0     0 NFQUEUE    all  --  *      *       0.0.0.0/0            0.0.0.0/0            NFQUEUE num 0
>      0     0 NFQUEUE    all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match ! 0x1/0x1 NFQUEUE num 0

The zero counters mean the issue is below Suricata. These counters are 
incremented also when Suricata isn't running or functioning correctly.

This means that you'll need to try to figure out why the rule isn't 
matching.

It may be in the wrong chain or you may have routing issues.

Cheers,
Victor

>
> how can I get suricata to see traffic?
> ________________________________________
> From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org> on behalf of Victor Julien <lists at inliniac.net>
> Sent: Tuesday, January 26, 2016 6:29 AM
> To: oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] suricata signatures on wheezy
>
> On 25-01-16 16:32, John Devine wrote:
>> Hi,
>>
>> I installed suricata for wheezy:
>>
>>
>> # apt-get install -t wheezy-backports suricata.
>>
>>
>> I was able to start it in IPS mode via the init with no errors (though
>> it blows up when I try to get it to alert but that's another issue). So
>> I tried starting it via command line like so:
>>
>>
>> # suricata -c /etc/suricata/suricata-debian.yaml -q 0 -v --init-errors-fatal
>>
>>
>> and I get:
>> <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature parsing
>> failed: "config classification: not-suspicious,Not Suspicious Traffic,3"
>>
>> I don't understand why it is giving this error when trying to start via
>> command line and not via init. Attached is my config.
>>
>
> It looks like it's trying to load the classification.config as a rule file.
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net
>


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list