[Oisf-users] How to prevent Suricata from inspecting traffic already locally blocked by iptables
Giuseppe Longo
lists at glongo.it
Thu Apr 26 19:43:38 UTC 2018
On 26/04/2018 19:11, Kevin Branch wrote:
> Thanks for writing Giuseppe,
>
> I have already installed the nflog packages you mentioned, via apt, but
> when I run the new command line, it throws a new error:
>
> # suricata -c /etc/suricata/suricata.yaml --nflog
> 26/4/2018 -- 13:03:06 - <Notice> - This is Suricata version 4.0.4 RELEASE
> 26/4/2018 -- 13:03:11 - <Error> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)]
> - initdata == NULL
> 26/4/2018 -- 13:03:11 - <Error> - [ERRCODE: SC_ERR_THREAD_INIT(49)] -
> thread "W#01-10" failed to initialize: flags 0145
> 26/4/2018 -- 13:03:11 - <Error> - [ERRCODE: SC_ERR_INITIALIZATION(45)] -
> Engine initialization failed, aborting...
>
> Does --nflog require some kind of argument?
>
> Pretty cryptic to me. Thanks for helping me take a look at this.
>
> Kevin
>
>
I believe there is something wrong in your setup,
if you run 'iptables -L -v' do you see any packet
matching your NFLOG group?
See my case below:
# iptables -L -v
Chain INPUT (policy ACCEPT 9960 packets, 3694K bytes)
pkts bytes target prot opt in out source
destination
9960 3694K NFLOG all -- any any anywhere
anywhere
If you can, try to flush iptables input chain with 'iptables -F'
and try to add this rule: iptables -A INPUT -j NFLOG --nflog-group 10
Take a look also at 'dmesg', make sure that there are no problem with nflog.
Regards,
Giuseppe
More information about the Oisf-users
mailing list