[Oisf-users] Suricata IPS using iptables with NFQUEUE and nfq_set_mark questions

David Sussens dsussens at gmail.com
Mon May 22 09:26:09 UTC 2017

Basically what needs to be done is the following:

1. In iptables:

-A INPUT -m mark ! --mark 1/1 -j NFQUEUE --queue-balance 0:3 --queue-bypass

You add the rule above.  This rule works as follows:

Traffic that is does not have a mark/mask of 1/1 is forwarded to suricata
for processing.  Once Suricata is finished processing, the traffic is
reinjected into the INPUT chain but this time the mark 1/1 is set, which
means on the second round the trafffic is not forwarded to suricata and
will skip on to the rules lower down in the INPUT chain.  Remember that
traffic is only reinjected if it was not dropped by Suricata.  Thus, your
marking does not have to be specified in the suricata rules at all and it
is business as usual from that prespective.

2.  in suricata.yaml:

  mode: repeat
  repeat-mark: 1
  repeat-mask: 1
  route-queue: 2
  batchcount: 20
  fail-open: no

You change the nfq mode from accept to repeat this causes packets that were
not rejected by Suricata to be reinjected into the appropriate chain.

This is how I am using it.  In my case I am doing this to ensure that
traffic is first checked by Suricata, and then goes to the local Apache
Inverse Proxy.

Hope this helps.

David Sussens.

On Sun, May 21, 2017 at 10:04 PM, Stanford Prescott <stan.prescott at gmail.com
> wrote:

> I ma trying to integrate Suricata 3.2.1 into our iptables firewall in IPS
> mode. We have have been using Snort in IDS mode but wanted to provide more
> filtering options. I like the possibility of using Suricata in IPS mode
> using nfq in repeat mode to return marked packets to the iptables table
> that sent the packets to Suricata for further processing. Snort doesn't
> seem to do this so we are trying to make the switch to Suricata.
> I've been doing a lot of research to figure all of this out. I have read
> this excellent article about nfq and nfq_set_mark. https://home.
> regit.org/tag/suricata/page/4/
> To use iptables with mark and mask, the article indicates that the
> "nfq_set_mark" keyword needs to be added to the Suricata rules. How do I
> determine to what rules I add the keyword? Would I just add the keyword to
> every rule that Suricata is using as listed in suricata.yaml? Or is there a
> recommended set of rules to add the keyword? Or are there rule sets
> available that already have the keyword added to the rules?
> Is Suricata able to set a mark for packets to be accepted and set a
> different mark for packets that need to be dropped or rejected?
> Any other tips and suggestions for getting Suricata working in IPS mode
> working with iptables would be much appreciated.
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170522/ece5e6fb/attachment-0002.html>

More information about the Oisf-users mailing list