[Oisf-users] How to prevent Suricata from inspecting traffic already locally blocked by iptables

Kevin Branch kevin at branchnetconsulting.com
Thu Apr 26 17:11:36 UTC 2018 

 Thanks for writing Giuseppe,

I have already installed the nflog packages you mentioned, via apt, but
when I run the new command line, it throws a new error:

# suricata -c /etc/suricata/suricata.yaml --nflog
26/4/2018 -- 13:03:06 - <Notice> - This is Suricata version 4.0.4 RELEASE
26/4/2018 -- 13:03:11 - <Error> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] -
initdata == NULL
26/4/2018 -- 13:03:11 - <Error> - [ERRCODE: SC_ERR_THREAD_INIT(49)] -
thread "W#01-10" failed to initialize: flags 0145
26/4/2018 -- 13:03:11 - <Error> - [ERRCODE: SC_ERR_INITIALIZATION(45)] -
Engine initialization failed, aborting...

Does --nflog require some kind of argument?

Pretty cryptic to me.  Thanks for helping me take a look at this.

Kevin


On Thu, Apr 26, 2018 at 12:20 PM, Giuseppe Longo <lists at glongo.it> wrote:

> Hello Kevin,
>
> On 25/04/2018 20:40, Kevin Branch wrote:
>
>> Thanks everyone, it appears NFLOG is what best fits my need.  Too bad it
>> appears that the Launchpad Ubuntu 16.04 package comes with that option
>> disabled.  Anyway I slugged through pulling the deb-src, tweaking
>> theconfigure.ac <http://configure.ac/>file to force NFLOG to be enabled,
>> and then building and installing the new deb.  I can confirm I have NFLOG
>> support now:
>>
>>     # suricata -c /etc/suricata/suricata.yaml --build-info | grep NFLOG
>>        NFLOG support:                           yes
>>
>>
>> but I can't yet invoke Suricata such that it uses NFLOG.
>>
>
> To enable NFLOG support in Suricata you need to install nflog package:
> apt-get install libnetfilter-log1 libnetfilter-log-dev
> should work in ubuntu since it works for debian.
>
> After that, you can run configure script enabling nflog:
> ./configure --enable-nflog ...
>
> If you have built nflog from source code you have to specify the directory
> where nflog is installed:
>
> --with-libnetfilter_log-includes=DIR  libnetfilter_log include directory
> --with-libnetfilter_log-libraries=DIR libnetfilter_log library directory
>
>
>> I have the relevant section in suricata.yaml:
>>
>>     nflog:
>>          # netlink multicast group
>>          # (the same as the iptables --nflog-group param)
>>          # Group 0 is used by the kernel, so you can't use it
>>        - group: 10
>>          # netlink buffer size
>>          buffer-size: 18432
>>          # put default value here
>>        - group: default
>>          # set number of packet to queue inside kernel
>>          qthreshold: 1
>>          # set the delay before flushing packet in the queue inside kernel
>>          qtimeout: 100
>>          # netlink max buffer size
>>          max-size: 20000
>>
>>
>> I've tried variations of the following and am just not hitting pay dirt.
>>
>>     # iptables -A INPUT -p tcp -m tcp --dport 80 -j NFLOG --nflog-group 10
>>     # suricata -c /etc/suricata/suricata.yaml -i nflog:10
>>
>
> Looks like your command is wrong. You should start suricata as below:
> suricata -c /etc/suricata/suricata.yaml --nflog
>
> You have already specified the nflog group, so you don't need to specify
> it in command line.
>
> This should fix your issue, please let me know if it doesn't work for you.
>
> Regards,
> Giuseppe
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180426/05a1cf46/attachment.html>

More information about the Oisf-users mailing list