[Oisf-users] Suricata IPS using iptables with NFQUEUE and nfq_set_mark questions

Mon May 22 17:03:18 UTC 2017

Stan, that mechanism is exactly what I have described. This feature has
been available for quite some time now.

Good luck with your implementation.

David Sussens.
On 22 May 2017 17:14, "Stanford Prescott" <stan.prescott at gmail.com> wrote:

> Thank you, David. That should be very helpful. I think I got confused by
> the article I read which I am thinking is a new feature that has been added
> to suricata which appears to be a way of marking traffic with different
> marks to return to iptables to process depending on what the mark is.
> Perhaps like both traffic to be accepted and dropped are returned to
> iptables to be processed depending on what the mark is?
>
> On Mon, May 22, 2017 at 4:26 AM, David Sussens <dsussens at gmail.com> wrote:
>
>> Basically what needs to be done is the following:
>>
>> 1. In iptables:
>>
>> -A INPUT -m mark ! --mark 1/1 -j NFQUEUE --queue-balance 0:3
>> --queue-bypass
>>
>> You add the rule above.  This rule works as follows:
>>
>> Traffic that is does not have a mark/mask of 1/1 is forwarded to suricata
>> for processing.  Once Suricata is finished processing, the traffic is
>> reinjected into the INPUT chain but this time the mark 1/1 is set, which
>> means on the second round the trafffic is not forwarded to suricata and
>> will skip on to the rules lower down in the INPUT chain.  Remember that
>> traffic is only reinjected if it was not dropped by Suricata.  Thus, your
>> marking does not have to be specified in the suricata rules at all and it
>> is business as usual from that prespective.
>>
>> 2.  in suricata.yaml:
>>
>> nfq:
>>   mode: repeat
>>   repeat-mark: 1
>>   repeat-mask: 1
>>   route-queue: 2
>>   batchcount: 20
>>   fail-open: no
>>
>> You change the nfq mode from accept to repeat this causes packets that
>> were not rejected by Suricata to be reinjected into the appropriate chain.
>>
>> This is how I am using it.  In my case I am doing this to ensure that
>> traffic is first checked by Suricata, and then goes to the local Apache
>> Inverse Proxy.
>>
>> Hope this helps.
>>
>> David Sussens.
>>
>>
>>
>>
>> On Sun, May 21, 2017 at 10:04 PM, Stanford Prescott <
>> stan.prescott at gmail.com> wrote:
>>
>>> I ma trying to integrate Suricata 3.2.1 into our iptables firewall in
>>> IPS mode. We have have been using Snort in IDS mode but wanted to provide
>>> more filtering options. I like the possibility of using Suricata in IPS
>>> mode using nfq in repeat mode to return marked packets to the iptables
>>> table that sent the packets to Suricata for further processing. Snort
>>> doesn't seem to do this so we are trying to make the switch to Suricata.
>>>
>>> I've been doing a lot of research to figure all of this out. I have read
>>> this excellent article about nfq and nfq_set_mark. https://home.reg
>>> it.org/tag/suricata/page/4/
>>>
>>> To use iptables with mark and mask, the article indicates that the
>>> "nfq_set_mark" keyword needs to be added to the Suricata rules. How do I
>>> determine to what rules I add the keyword? Would I just add the keyword to
>>> every rule that Suricata is using as listed in suricata.yaml? Or is there a
>>> recommended set of rules to add the keyword? Or are there rule sets
>>> available that already have the keyword added to the rules?
>>>
>>> Is Suricata able to set a mark for packets to be accepted and set a
>>> different mark for packets that need to be dropped or rejected?
>>>
>>> Any other tips and suggestions for getting Suricata working in IPS mode
>>> working with iptables would be much appreciated.
>>>
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/suppor
>>> t/
>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/ois
>>> f-users
>>>
>>>
>>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170522/71341beb/attachment-0002.html>