[Oisf-users] Fw: suricata signatures on wheezy
John Devine
john.devine at nuspire.com
Wed Jan 27 13:26:54 UTC 2016
forwarding for archive purposes
________________________________________
From: Victor Julien <lists at inliniac.net>
Sent: Tuesday, January 26, 2016 4:38 PM
To: John Devine
Subject: Re: [Oisf-users] suricata signatures on wheezy
Great, but please respond to the list. It's good to have success/fail
messages archived there with the suggested solutions.
On 26-01-16 22:32, John Devine wrote:
> Thanks. I figured it out I needed an INPUT rule instead of FORWARD. Suricata seems to be working 100% now. : )
>
> ________________________________________
> From: Victor Julien <lists at inliniac.net>
> Sent: Tuesday, January 26, 2016 4:29 PM
> To: John Devine; oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] suricata signatures on wheezy
>
> Back to the list. More inline.
>
> On 26-01-16 21:08, John Devine wrote:
>> Thanks for your reply. I reinstalled and messed with it a bit and got it running with no errors in IPS mode using # suricata -c /etc/suricata/suricata-debian.yaml -q 0 -D -vv --init-errors-fatal. Everything looks to be in order only all the logs are empty and no traffic appears to be going through suricata.
>>
>> I tried these two iptables rules to forward traffic but still it appears no traffic is being seen by suricata.
>>
>> 0 0 NFQUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 0
>> 0 0 NFQUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 mark match ! 0x1/0x1 NFQUEUE num 0
>
> The zero counters mean the issue is below Suricata. These counters are
> incremented also when Suricata isn't running or functioning correctly.
>
> This means that you'll need to try to figure out why the rule isn't
> matching.
>
> It may be in the wrong chain or you may have routing issues.
>
> Cheers,
> Victor
>
>>
>> how can I get suricata to see traffic?
>> ________________________________________
>> From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org> on behalf of Victor Julien <lists at inliniac.net>
>> Sent: Tuesday, January 26, 2016 6:29 AM
>> To: oisf-users at lists.openinfosecfoundation.org
>> Subject: Re: [Oisf-users] suricata signatures on wheezy
>>
>> On 25-01-16 16:32, John Devine wrote:
>>> Hi,
>>>
>>> I installed suricata for wheezy:
>>>
>>>
>>> # apt-get install -t wheezy-backports suricata.
>>>
>>>
>>> I was able to start it in IPS mode via the init with no errors (though
>>> it blows up when I try to get it to alert but that's another issue). So
>>> I tried starting it via command line like so:
>>>
>>>
>>> # suricata -c /etc/suricata/suricata-debian.yaml -q 0 -v --init-errors-fatal
>>>
>>>
>>> and I get:
>>> <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature parsing
>>> failed: "config classification: not-suspicious,Not Suspicious Traffic,3"
>>>
>>> I don't understand why it is giving this error when trying to start via
>>> command line and not via init. Attached is my config.
>>>
>>
>> It looks like it's trying to load the classification.config as a rule file.
>>
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net
>>
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list