[Oisf-users] How to prevent Suricata from inspecting traffic already locally blocked by iptables

Giuseppe Longo lists at glongo.it
Thu Apr 26 21:50:51 UTC 2018 


On 26/04/2018 23:16, Kevin Branch wrote:
> Hi Giuseppe,
> 
> Sorry, NFLOG seems to be working fine.  I just confirmed iptables is 
> catching intended packets and that tcpdump it picking them up via -i 
> nflog:10.
> I also confirmed that whether I use my nflog-enabled deb package, or 
> manually do a ./configure --enable-nflog; make; make install,  that I 
> still get that fatal "[ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - initdata 
> == NULL" line.
> When I run "suricata --help", I see no reference to a --nflog option.  
> Nor is there any reference to nflog at all in the man page.
> 
> 
> root at o-orlseim01-ptp:~# suricata -c /etc/suricata/suricata.yaml --nflog 10
> 26/4/2018 -- 17:02:49 - <Notice> - This is Suricata version 4.0.4 RELEASE
> 26/4/2018 -- 17:02:54 - <Error> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] 
> - initdata == NULL
> 26/4/2018 -- 17:02:54 - <Error> - [ERRCODE: SC_ERR_THREAD_INIT(49)] - 
> thread "W#01-10" failed to initialize: flags 0145
> 26/4/2018 -- 17:02:54 - <Error> - [ERRCODE: SC_ERR_INITIALIZATION(45)] - 
> Engine initialization failed, aborting...
> 
> root at o-orlseim01-ptp:~# dmesg | tail
> [179774.299698] Process accounting resumed
> [266176.455815] Process accounting resumed
> [352578.755972] Process accounting resumed
> [376749.756539] SGI XFS with ACLs, security attributes, realtime, no 
> debug enabled
> [376749.789166] JFS: nTxBlock = 8192, nTxLock = 65536
> [376749.817938] ntfs: driver 2.1.32 [Flags: R/O MODULE].
> [376749.880298] QNX4 filesystem 0.2.3 registered.
> [404679.648500] ip_tables: (C) 2000-2006 Netfilter Core Team
> [421657.536552] perf interrupt took too long (5003 > 5000), lowering 
> kernel.perf_event_max_sample_rate to 25000
> [438980.143833] Process accounting resumed
> 
> root at o-orlseim01-ptp:~# iptables --list -v
> Chain INPUT (policy ACCEPT 1253K packets, 193M bytes)
>   pkts bytes target     prot opt in     out     source              
>   destination
>      2   120 NFLOG      tcp  --  any    any     anywhere            
>   anywhere             tcp dpt:http nflog-group 10
> 
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>   pkts bytes target     prot opt in     out     source              
>   destination
> 
> Chain OUTPUT (policy ACCEPT 1250K packets, 188M bytes)
>   pkts bytes target     prot opt in     out     source              
>   destination
> 
> root at o-orlseim01-ptp:~# tcpdump -i nflog:10 -nn
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on nflog:10, link-type NFLOG (Linux netfilter log messages), 
> capture size 262144 bytes
> 17:04:29.772337 IP 172.18.2.107.59519 > 10.18.0.144.80: Flags [S], seq 
> 3035437428, win 14600, options [mss 1460,sackOK,TS val 542358755 ecr 
> 0,nop,wscale 9], length 0
> 17:04:32.916327 IP 172.18.2.107.59611 > 10.18.0.144.80: Flags [S], seq 
> 4012452713, win 14600, options [mss 1460,sackOK,TS val 542361902 ecr 
> 0,nop,wscale 9], length 0
> ^C
> 2 packets captured
> 2 packets received by filter
> 0 packets dropped by kernel
> 

Could you try to update to 4.1.0 ?

You can see below the output that I got:
# ./bin/suricata -c etc/suricata/suricata.yaml --nflog -vvv
[25774] 26/4/2018 -- 23:48:12 - (suricata.c:1076) <Notice> (LogVersion) 
-- This is Suricata version 4.1.0-dev (rev 2e8fd612a)
[25774] 26/4/2018 -- 23:48:12 - (util-cpu.c:171) <Info> 
(UtilCpuPrintSummary) -- CPUs/cores online: 4
[25774] 26/4/2018 -- 23:48:12 - (util-device.c:297) <Config> 
(LiveBuildDeviceListCustom) -- Adding group 10 from config file
...

More information about the Oisf-users mailing list