[Oisf-users] How to prevent Suricata from inspecting traffic already locally blocked by iptables

Giuseppe Longo lists at glongo.it
Thu Apr 26 16:20:50 UTC 2018 

Hello Kevin,

On 25/04/2018 20:40, Kevin Branch wrote:
> Thanks everyone, it appears NFLOG is what best fits my need.  Too bad it 
> appears that the Launchpad Ubuntu 16.04 package comes with that option 
> disabled.  Anyway I slugged through pulling the deb-src, tweaking 
> theconfigure.ac <http://configure.ac/>file to force NFLOG to be enabled, 
> and then building and installing the new deb.  I can confirm I have 
> NFLOG support now:
> 
>     # suricata -c /etc/suricata/suricata.yaml --build-info | grep NFLOG
>        NFLOG support:                           yes
> 
> 
> but I can't yet invoke Suricata such that it uses NFLOG.

To enable NFLOG support in Suricata you need to install nflog package:
apt-get install libnetfilter-log1 libnetfilter-log-dev
should work in ubuntu since it works for debian.

After that, you can run configure script enabling nflog:
./configure --enable-nflog ...

If you have built nflog from source code you have to specify the 
directory where nflog is installed:

--with-libnetfilter_log-includes=DIR  libnetfilter_log include directory
--with-libnetfilter_log-libraries=DIR libnetfilter_log library directory

> 
> I have the relevant section in suricata.yaml:
> 
>     nflog:
>          # netlink multicast group
>          # (the same as the iptables --nflog-group param)
>          # Group 0 is used by the kernel, so you can't use it
>        - group: 10
>          # netlink buffer size
>          buffer-size: 18432
>          # put default value here
>        - group: default
>          # set number of packet to queue inside kernel
>          qthreshold: 1
>          # set the delay before flushing packet in the queue inside kernel
>          qtimeout: 100
>          # netlink max buffer size
>          max-size: 20000
> 
> 
> I've tried variations of the following and am just not hitting pay dirt.
> 
>     # iptables -A INPUT -p tcp -m tcp --dport 80 -j NFLOG --nflog-group 10
>     # suricata -c /etc/suricata/suricata.yaml -i nflog:10

Looks like your command is wrong. You should start suricata as below:
suricata -c /etc/suricata/suricata.yaml --nflog

You have already specified the nflog group, so you don't need to specify 
it in command line.

This should fix your issue, please let me know if it doesn't work for you.

Regards,
Giuseppe

More information about the Oisf-users mailing list