[Oisf-users] Suricata IPS using iptables with NFQUEUE and nfq_set_mark questions

Stanford Prescott stan.prescott at gmail.com
Mon May 22 15:13:36 UTC 2017

Thank you, David. That should be very helpful. I think I got confused by
the article I read which I am thinking is a new feature that has been added
to suricata which appears to be a way of marking traffic with different
marks to return to iptables to process depending on what the mark is.
Perhaps like both traffic to be accepted and dropped are returned to
iptables to be processed depending on what the mark is?

On Mon, May 22, 2017 at 4:26 AM, David Sussens <dsussens at gmail.com> wrote:

> Basically what needs to be done is the following:
> 1. In iptables:
> -A INPUT -m mark ! --mark 1/1 -j NFQUEUE --queue-balance 0:3 --queue-bypass
> You add the rule above.  This rule works as follows:
> Traffic that is does not have a mark/mask of 1/1 is forwarded to suricata
> for processing.  Once Suricata is finished processing, the traffic is
> reinjected into the INPUT chain but this time the mark 1/1 is set, which
> means on the second round the trafffic is not forwarded to suricata and
> will skip on to the rules lower down in the INPUT chain.  Remember that
> traffic is only reinjected if it was not dropped by Suricata.  Thus, your
> marking does not have to be specified in the suricata rules at all and it
> is business as usual from that prespective.
> 2.  in suricata.yaml:
> nfq:
>   mode: repeat
>   repeat-mark: 1
>   repeat-mask: 1
>   route-queue: 2
>   batchcount: 20
>   fail-open: no
> You change the nfq mode from accept to repeat this causes packets that
> were not rejected by Suricata to be reinjected into the appropriate chain.
> This is how I am using it.  In my case I am doing this to ensure that
> traffic is first checked by Suricata, and then goes to the local Apache
> Inverse Proxy.
> Hope this helps.
> David Sussens.
> On Sun, May 21, 2017 at 10:04 PM, Stanford Prescott <
> stan.prescott at gmail.com> wrote:
>> I ma trying to integrate Suricata 3.2.1 into our iptables firewall in IPS
>> mode. We have have been using Snort in IDS mode but wanted to provide more
>> filtering options. I like the possibility of using Suricata in IPS mode
>> using nfq in repeat mode to return marked packets to the iptables table
>> that sent the packets to Suricata for further processing. Snort doesn't
>> seem to do this so we are trying to make the switch to Suricata.
>> I've been doing a lot of research to figure all of this out. I have read
>> this excellent article about nfq and nfq_set_mark. https://home.reg
>> it.org/tag/suricata/page/4/
>> To use iptables with mark and mask, the article indicates that the
>> "nfq_set_mark" keyword needs to be added to the Suricata rules. How do I
>> determine to what rules I add the keyword? Would I just add the keyword to
>> every rule that Suricata is using as listed in suricata.yaml? Or is there a
>> recommended set of rules to add the keyword? Or are there rule sets
>> available that already have the keyword added to the rules?
>> Is Suricata able to set a mark for packets to be accepted and set a
>> different mark for packets that need to be dropped or rejected?
>> Any other tips and suggestions for getting Suricata working in IPS mode
>> working with iptables would be much appreciated.
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170522/bccab1d1/attachment-0002.html>

More information about the Oisf-users mailing list