[Oisf-users] How to prevent Suricata from inspecting traffic already locally blocked by iptables
Kevin Branch
kevin at branchnetconsulting.com
Thu Apr 26 17:11:36 UTC 2018
Thanks for writing Giuseppe,
I have already installed the nflog packages you mentioned, via apt, but
when I run the new command line, it throws a new error:
# suricata -c /etc/suricata/suricata.yaml --nflog
26/4/2018 -- 13:03:06 - <Notice> - This is Suricata version 4.0.4 RELEASE
26/4/2018 -- 13:03:11 - <Error> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] -
initdata == NULL
26/4/2018 -- 13:03:11 - <Error> - [ERRCODE: SC_ERR_THREAD_INIT(49)] -
thread "W#01-10" failed to initialize: flags 0145
26/4/2018 -- 13:03:11 - <Error> - [ERRCODE: SC_ERR_INITIALIZATION(45)] -
Engine initialization failed, aborting...
Does --nflog require some kind of argument?
Pretty cryptic to me. Thanks for helping me take a look at this.
Kevin
On Thu, Apr 26, 2018 at 12:20 PM, Giuseppe Longo <lists at glongo.it> wrote:
> Hello Kevin,
>
> On 25/04/2018 20:40, Kevin Branch wrote:
>
>> Thanks everyone, it appears NFLOG is what best fits my need. Too bad it
>> appears that the Launchpad Ubuntu 16.04 package comes with that option
>> disabled. Anyway I slugged through pulling the deb-src, tweaking
>> theconfigure.ac <http://configure.ac/>file to force NFLOG to be enabled,
>> and then building and installing the new deb. I can confirm I have NFLOG
>> support now:
>>
>> # suricata -c /etc/suricata/suricata.yaml --build-info | grep NFLOG
>> NFLOG support: yes
>>
>>
>> but I can't yet invoke Suricata such that it uses NFLOG.
>>
>
> To enable NFLOG support in Suricata you need to install nflog package:
> apt-get install libnetfilter-log1 libnetfilter-log-dev
> should work in ubuntu since it works for debian.
>
> After that, you can run configure script enabling nflog:
> ./configure --enable-nflog ...
>
> If you have built nflog from source code you have to specify the directory
> where nflog is installed:
>
> --with-libnetfilter_log-includes=DIR libnetfilter_log include directory
> --with-libnetfilter_log-libraries=DIR libnetfilter_log library directory
>
>
>> I have the relevant section in suricata.yaml:
>>
>> nflog:
>> # netlink multicast group
>> # (the same as the iptables --nflog-group param)
>> # Group 0 is used by the kernel, so you can't use it
>> - group: 10
>> # netlink buffer size
>> buffer-size: 18432
>> # put default value here
>> - group: default
>> # set number of packet to queue inside kernel
>> qthreshold: 1
>> # set the delay before flushing packet in the queue inside kernel
>> qtimeout: 100
>> # netlink max buffer size
>> max-size: 20000
>>
>>
>> I've tried variations of the following and am just not hitting pay dirt.
>>
>> # iptables -A INPUT -p tcp -m tcp --dport 80 -j NFLOG --nflog-group 10
>> # suricata -c /etc/suricata/suricata.yaml -i nflog:10
>>
>
> Looks like your command is wrong. You should start suricata as below:
> suricata -c /etc/suricata/suricata.yaml --nflog
>
> You have already specified the nflog group, so you don't need to specify
> it in command line.
>
> This should fix your issue, please let me know if it doesn't work for you.
>
> Regards,
> Giuseppe
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180426/05a1cf46/attachment.html>
More information about the Oisf-users
mailing list