[Oisf-users] Fw: suricata signatures on wheezy

Victor Julien lists at inliniac.net
Wed Jan 27 13:28:26 UTC 2016 

On 27-01-16 14:26, John Devine wrote:
> 
> forwarding for archive purposes

Thanks John!


> ________________________________________
> From: Victor Julien <lists at inliniac.net>
> Sent: Tuesday, January 26, 2016 4:38 PM
> To: John Devine
> Subject: Re: [Oisf-users] suricata signatures on wheezy
> 
> Great, but please respond to the list. It's good to have success/fail
> messages archived there with the suggested solutions.
> 
> On 26-01-16 22:32, John Devine wrote:
>> Thanks. I figured it out I needed an INPUT rule instead of FORWARD. Suricata seems to be working 100% now. : )
>>
>> ________________________________________
>> From: Victor Julien <lists at inliniac.net>
>> Sent: Tuesday, January 26, 2016 4:29 PM
>> To: John Devine; oisf-users at lists.openinfosecfoundation.org
>> Subject: Re: [Oisf-users] suricata signatures on wheezy
>>
>> Back to the list. More inline.
>>
>> On 26-01-16 21:08, John Devine wrote:
>>> Thanks for your reply. I reinstalled and messed with it a bit and got it running with no errors in IPS mode using # suricata -c /etc/suricata/suricata-debian.yaml -q 0 -D -vv --init-errors-fatal. Everything looks to be in order only all the logs are empty and no traffic appears to be going through suricata.
>>>
>>> I tried these two iptables rules to forward traffic but still it appears no traffic is being seen by suricata.
>>>
>>>       0     0 NFQUEUE    all  --  *      *       0.0.0.0/0            0.0.0.0/0            NFQUEUE num 0
>>>       0     0 NFQUEUE    all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match ! 0x1/0x1 NFQUEUE num 0
>>
>> The zero counters mean the issue is below Suricata. These counters are
>> incremented also when Suricata isn't running or functioning correctly.
>>
>> This means that you'll need to try to figure out why the rule isn't
>> matching.
>>
>> It may be in the wrong chain or you may have routing issues.
>>
>> Cheers,
>> Victor
>>
>>>
>>> how can I get suricata to see traffic?
>>> ________________________________________
>>> From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org> on behalf of Victor Julien <lists at inliniac.net>
>>> Sent: Tuesday, January 26, 2016 6:29 AM
>>> To: oisf-users at lists.openinfosecfoundation.org
>>> Subject: Re: [Oisf-users] suricata signatures on wheezy
>>>
>>> On 25-01-16 16:32, John Devine wrote:
>>>> Hi,
>>>>
>>>> I installed suricata for wheezy:
>>>>
>>>>
>>>> # apt-get install -t wheezy-backports suricata.
>>>>
>>>>
>>>> I was able to start it in IPS mode via the init with no errors (though
>>>> it blows up when I try to get it to alert but that's another issue). So
>>>> I tried starting it via command line like so:
>>>>
>>>>
>>>> # suricata -c /etc/suricata/suricata-debian.yaml -q 0 -v --init-errors-fatal
>>>>
>>>>
>>>> and I get:
>>>> <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature parsing
>>>> failed: "config classification: not-suspicious,Not Suspicious Traffic,3"
>>>>
>>>> I don't understand why it is giving this error when trying to start via
>>>> command line and not via init. Attached is my config.
>>>>
>>>
>>> It looks like it's trying to load the classification.config as a rule file.
>>>
>>>
>>> --
>>> ---------------------------------------------
>>> Victor Julien
>>> http://www.inliniac.net/
>>> PGP: http://www.inliniac.net/victorjulien.asc
>>> ---------------------------------------------
>>>
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net
>>>
>>
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>>
> 
> 
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
> 
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list