[Oisf-users] What do these errors imply?

Andreas Herz andi at geekosphere.org
Wed Jun 8 19:48:46 UTC 2016


On 08/06/16 at 12:30, James Moe wrote:
> 
> Suricata 3.0.1
> opensuse 42.1
> linux 4.1.20-11-default x86_64
> 
> After the daily ruleset update and suricata restart, these errors were
> emitted:
> 
> 8/6/2016 -- 04:59:19 - <Error> - [ERRCODE: SC_ERR_NFQ_CREATE_QUEUE(72)]
> - nfq_create_queue failed
> 8/6/2016 -- 04:59:19 - <Error> - [ERRCODE: SC_ERR_NFQ_THREAD_INIT(78)] -
> nfq thread failed to initialize
> 
> What are the implications of these errors?

Did you make sure that the NFQ 0 is available when Suricata did start?
Or do you have two instances of suricata running which would explain:

> Suricata continues to detect possible intrusions.

But a second run would not be able to attach to the nfq 0

> 
> $ /usr/sbin/iptables -S INPUT
> -P INPUT DROP
> -A INPUT -j NFQUEUE --queue-num 0
> -A INPUT -i lo -j ACCEPT
> -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
> -A INPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
> -A INPUT -j input_ext
> -A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET
> " --log-tcp-options --log-ip-options
> -A INPUT -j DROP
> 
> $ /usr/sbin/iptables -S OUTPUT
> -P OUTPUT ACCEPT
> -A OUTPUT -j NFQUEUE --queue-num 0
> -A OUTPUT -o lo -j ACCEPT
> 
> -- 
> James Moe
> moe dot james at sohnen-moe dot com
> 520.743.3936
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net

-- 
Andreas Herz



More information about the Oisf-users mailing list