[Oisf-users] All Good Except NFQ Repeat Mode
Dominic Ruggiero
dominic1011 at gmail.com
Mon May 15 17:02:30 UTC 2017
Greetings!
I am using Suricata version 3.2.1 to protect my host computer.
Host OS: Lubuntu Linux 16.04.2 LTS
Kernel: Linux 4.8.0-51-generic (x86-64).
I do use a router for its hardware firewall, but do not have a LAN set up.
I am using AFP capture and host-mode: auto.
Host situation two most simple iptable rules:
sudo iptables -I INPUT -j NFQUEUE
sudo iptables -I OUTPUT -j NFQUEUE
Run suricata with the NFQ mode:
sudo suricata -c /etc/suricata/suricata.yaml -q 0
IPS nfq accept mode works great as does the drop.log and Oinkmaster.
Here is the relevant suricata.log output after running in nfq accept mode:
(RX-Q0) Treated: Pkts 35902, Bytes 14951572, Errors 0
(RX-Q0) Verdict: Accepted 35895, Dropped 6, Replaced 0
I would like to run Suricata in nfq repeat mode, but I don't believe
that I've configured it properly.
Here are the relevant suricata.yaml settings:
nfq:
mode: repeat
repeat-mark: 1
repeat-mask: 1
# bypass-mark: 1
# bypass-mask: 1
# route-queue: 2
# batchcount: 20
# fail-open: yes
Here is the relevant suricata.log output after running in nfq repeat mode:
(RX-Q0) Treated: Pkts 35343, Bytes 9763340, Errors 18144
(RX-Q0) Verdict: Accepted 17197, Dropped 2, Replaced 0
Only 17197 of the 35343 treated pkts during this session were accepted
due to the 18144 errors.
I am hoping that I have just made a simple newbie error.
Any suggestions? Thanks!
More information about the Oisf-users
mailing list