[Oisf-users] How to prevent Suricata from inspecting traffic already locally blocked by iptables

Victor Julien lists at inliniac.net
Wed Apr 25 09:54:18 UTC 2018

On 23-04-18 04:26, Kevin Branch wrote:
> Hi all,
> I've used Suricata for years but always on a dedicated NIDS server for
> inspecting traffic behind a network firewall.  Now I am trying a local
> install of Suricata on a Linux cloud server whose traffic I want to
> inspect.  The server uses iptables to block all incoming connections
> other than http/https.  My problem is that Suricata is generating lots
> of alerts about incoming connection attempts (scanning noise) that
> iptables is blocking anyway, which I would rather not hear about.
> Is there a way to make Suricata ignore packets that have already been
> dropped by the local iptables?  I've toyed with the idea of using the
> iptables tee facility to pump a subset of eth0 traffic to a dummy0
> interface and then having Suricata inspect that instead, but I thought
> I'd check in here to see if anyone has a better approach already working
> for them.

I guess there would be 2 possibilities:

1. use a bpf to have suri only look at those open ports: 'tcp port 80
and tcp port 443'

2. use Suricata in NFLOG mode: like with NFQUEUE this can be used to
steer traffic to Suricata from iptables. Unlike NFQUEUE, NFLOG is passive.

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-users mailing list