[Oisf-users] How to prevent Suricata from inspecting traffic already locally blocked by iptables

Kevin Branch kevin at branchnetconsulting.com
Wed Apr 25 18:40:17 UTC 2018 

 Thanks everyone, it appears NFLOG is what best fits my need.  Too bad it
appears that the Launchpad Ubuntu 16.04 package comes with that option
disabled.  Anyway I slugged through pulling the deb-src, tweaking the
configure.ac file to force NFLOG to be enabled, and then building and
installing the new deb.  I can confirm I have NFLOG support now:

# suricata -c /etc/suricata/suricata.yaml --build-info | grep NFLOG
  NFLOG support:                           yes


but I can't yet invoke Suricata such that it uses NFLOG.

I have the relevant section in suricata.yaml:

nflog:
    # netlink multicast group
    # (the same as the iptables --nflog-group param)
    # Group 0 is used by the kernel, so you can't use it
  - group: 10
    # netlink buffer size
    buffer-size: 18432
    # put default value here
  - group: default
    # set number of packet to queue inside kernel
    qthreshold: 1
    # set the delay before flushing packet in the queue inside kernel
    qtimeout: 100
    # netlink max buffer size
    max-size: 20000


I've tried variations of the following and am just not hitting pay dirt.

# iptables -A INPUT -p tcp -m tcp --dport 80 -j NFLOG --nflog-group 10
# suricata -c /etc/suricata/suricata.yaml -i nflog:10
25/4/2018 -- 14:25:08 - <Notice> - This is Suricata version 4.0.4 RELEASE
25/4/2018 -- 14:25:08 - <Warning> - [ERRCODE: SC_ERR_SYSCALL(50)] - Failure
when trying to get MTU via ioctl for 'nflog:10': No such device (19)
25/4/2018 -- 14:25:08 - <Warning> - [ERRCODE: SC_ERR_SYSCALL(50)] - Failure
when trying to get MTU via ioctl for 'nflog:10': No such device (19)
25/4/2018 -- 14:25:13 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] -
Unable to find type for iface "nflog:10": No such device
25/4/2018 -- 14:25:13 - <Notice> - all 1 packet processing threads, 4
management threads initialized, engine started.
25/4/2018 -- 14:25:13 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] -
Unable to find iface nflog:10: No such device
25/4/2018 -- 14:25:13 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] -
Couldn't init AF_PACKET socket, fatal error
25/4/2018 -- 14:25:13 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - thread
W#01-nflog:10 failed


NFLOG itself seems to be working:


# tcpdump -i nflog:10 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on nflog:10, link-type NFLOG (Linux netfilter log messages),
capture size 262144 bytes


but I just can't seem to work out the proper way to call Suricata.  Please
give me a hand with the syntax for that.
I have scrubbed the Googlesphere and my findings are very lean on this
topic.


On Wed, Apr 25, 2018 at 5:54 AM, Victor Julien <lists at inliniac.net> wrote:

> On 23-04-18 04:26, Kevin Branch wrote:
> > Hi all,
> >
> > I've used Suricata for years but always on a dedicated NIDS server for
> > inspecting traffic behind a network firewall.  Now I am trying a local
> > install of Suricata on a Linux cloud server whose traffic I want to
> > inspect.  The server uses iptables to block all incoming connections
> > other than http/https.  My problem is that Suricata is generating lots
> > of alerts about incoming connection attempts (scanning noise) that
> > iptables is blocking anyway, which I would rather not hear about.
> >
> > Is there a way to make Suricata ignore packets that have already been
> > dropped by the local iptables?  I've toyed with the idea of using the
> > iptables tee facility to pump a subset of eth0 traffic to a dummy0
> > interface and then having Suricata inspect that instead, but I thought
> > I'd check in here to see if anyone has a better approach already working
> > for them.
>
> I guess there would be 2 possibilities:
>
> 1. use a bpf to have suri only look at those open ports: 'tcp port 80
> and tcp port 443'
>
> 2. use Suricata in NFLOG mode: like with NFQUEUE this can be used to
> steer traffic to Suricata from iptables. Unlike NFQUEUE, NFLOG is passive.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180425/15296efa/attachment.html>

More information about the Oisf-users mailing list