[Oisf-users] How to prevent Suricata from inspecting traffic already locally blocked by iptables

Kevin Branch kevin at branchnetconsulting.com
Thu Apr 26 21:16:46 UTC 2018 

Hi Giuseppe,

Sorry, NFLOG seems to be working fine.  I just confirmed iptables is
catching intended packets and that tcpdump it picking them up via -i
nflog:10.
I also confirmed that whether I use my nflog-enabled deb package, or
manually do a ./configure --enable-nflog; make; make install,  that I still
get that fatal "[ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - initdata == NULL"
line.
When I run "suricata --help", I see no reference to a --nflog option.  Nor
is there any reference to nflog at all in the man page.


root at o-orlseim01-ptp:~# suricata -c /etc/suricata/suricata.yaml --nflog 10
26/4/2018 -- 17:02:49 - <Notice> - This is Suricata version 4.0.4 RELEASE
26/4/2018 -- 17:02:54 - <Error> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] -
initdata == NULL
26/4/2018 -- 17:02:54 - <Error> - [ERRCODE: SC_ERR_THREAD_INIT(49)] -
thread "W#01-10" failed to initialize: flags 0145
26/4/2018 -- 17:02:54 - <Error> - [ERRCODE: SC_ERR_INITIALIZATION(45)] -
Engine initialization failed, aborting...

root at o-orlseim01-ptp:~# dmesg | tail
[179774.299698] Process accounting resumed
[266176.455815] Process accounting resumed
[352578.755972] Process accounting resumed
[376749.756539] SGI XFS with ACLs, security attributes, realtime, no debug
enabled
[376749.789166] JFS: nTxBlock = 8192, nTxLock = 65536
[376749.817938] ntfs: driver 2.1.32 [Flags: R/O MODULE].
[376749.880298] QNX4 filesystem 0.2.3 registered.
[404679.648500] ip_tables: (C) 2000-2006 Netfilter Core Team
[421657.536552] perf interrupt took too long (5003 > 5000), lowering
kernel.perf_event_max_sample_rate to 25000
[438980.143833] Process accounting resumed

root at o-orlseim01-ptp:~# iptables --list -v
Chain INPUT (policy ACCEPT 1253K packets, 193M bytes)
 pkts bytes target     prot opt in     out     source
 destination
    2   120 NFLOG      tcp  --  any    any     anywhere
 anywhere             tcp dpt:http nflog-group 10

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
 destination

Chain OUTPUT (policy ACCEPT 1250K packets, 188M bytes)
 pkts bytes target     prot opt in     out     source
 destination

root at o-orlseim01-ptp:~# tcpdump -i nflog:10 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on nflog:10, link-type NFLOG (Linux netfilter log messages),
capture size 262144 bytes
17:04:29.772337 IP 172.18.2.107.59519 > 10.18.0.144.80: Flags [S], seq
3035437428, win 14600, options [mss 1460,sackOK,TS val 542358755 ecr
0,nop,wscale 9], length 0
17:04:32.916327 IP 172.18.2.107.59611 > 10.18.0.144.80: Flags [S], seq
4012452713, win 14600, options [mss 1460,sackOK,TS val 542361902 ecr
0,nop,wscale 9], length 0
^C
2 packets captured
2 packets received by filter
0 packets dropped by kernel


On Thu, Apr 26, 2018 at 3:43 PM, Giuseppe Longo <lists at glongo.it> wrote:

>
>
> On 26/04/2018 19:11, Kevin Branch wrote:
>
>> Thanks for writing Giuseppe,
>>
>> I have already installed the nflog packages you mentioned, via apt, but
>> when I run the new command line, it throws a new error:
>>
>> # suricata -c /etc/suricata/suricata.yaml --nflog
>> 26/4/2018 -- 13:03:06 - <Notice> - This is Suricata version 4.0.4 RELEASE
>> 26/4/2018 -- 13:03:11 - <Error> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)]
>> - initdata == NULL
>> 26/4/2018 -- 13:03:11 - <Error> - [ERRCODE: SC_ERR_THREAD_INIT(49)] -
>> thread "W#01-10" failed to initialize: flags 0145
>> 26/4/2018 -- 13:03:11 - <Error> - [ERRCODE: SC_ERR_INITIALIZATION(45)] -
>> Engine initialization failed, aborting...
>>
>> Does --nflog require some kind of argument?
>>
>> Pretty cryptic to me.  Thanks for helping me take a look at this.
>>
>> Kevin
>>
>>
>>
> I believe there is something wrong in your setup,
> if you run 'iptables -L -v' do you see any packet
> matching your NFLOG group?
>
> See my case below:
> # iptables -L -v
> Chain INPUT (policy ACCEPT 9960 packets, 3694K bytes)
>  pkts bytes target     prot opt in     out     source destination
>  9960 3694K NFLOG      all  --  any    any     anywhere anywhere
>
> If you can, try to flush iptables input chain with 'iptables -F'
> and try to add this rule: iptables -A INPUT -j NFLOG --nflog-group 10
>
> Take a look also at 'dmesg', make sure that there are no problem with
> nflog.
>
> Regards,
> Giuseppe
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180426/afe098c2/attachment-0001.html>

More information about the Oisf-users mailing list