[Oisf-users] Suricata IPS using iptables with NFQUEUE and nfq_set_mark questions

[Stanford Prescott]

I ma trying to integrate Suricata 3.2.1 into our iptables firewall in IPS
mode. We have have been using Snort in IDS mode but wanted to provide more
filtering options. I like the possibility of using Suricata in IPS mode
using nfq in repeat mode to return marked packets to the iptables table
that sent the packets to Suricata for further processing. Snort doesn't
seem to do this so we are trying to make the switch to Suricata.

I've been doing a lot of research to figure all of this out. I have read
this excellent article about nfq and nfq_set_mark.
https://home.regit.org/tag/suricata/page/4/

To use iptables with mark and mask, the article indicates that the
"nfq_set_mark" keyword needs to be added to the Suricata rules. How do I
determine to what rules I add the keyword? Would I just add the keyword to
every rule that Suricata is using as listed in suricata.yaml? Or is there a
recommended set of rules to add the keyword? Or are there rule sets
available that already have the keyword added to the rules?

Is Suricata able to set a mark for packets to be accepted and set a
different mark for packets that need to be dropped or rejected?

Any other tips and suggestions for getting Suricata working in IPS mode
working with iptables would be much appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170521/2ba863bb/attachment.html>