[Oisf-users] How to prevent Suricata from inspecting traffic already locally blocked by iptables

Kevin Branch kevin at branchnetconsulting.com
Thu Apr 26 22:59:54 UTC 2018 

Giuseppe,

That made all the difference!  I thought this feature was available in the
latest stable Suricata, not only in the dev version.  Your syntax works now:


26/4/2018 -- 18:53:13 - <Notice> - This is Suricata version 4.1.0-beta1
RELEASE
26/4/2018 -- 18:53:16 - <Notice> - all 49 packet processing threads, 4
management threads initialized, engine started.
26/4/2018 -- 18:53:51 - <Notice> - Signal Received.  Stopping engine.
26/4/2018 -- 18:53:51 - <Notice> - (RX#01-10) Pkts 22, Bytes 1320
26/4/2018 -- 18:53:52 - <Notice> - Stats for '10':  pkts: 22, drop: 0
(0.00%), invalid chksum: 0


I may well use 4.1 then, though if I can get 4.0.4 which clearly claims to
support NFLOG in some capacity, to do what I need, I might still go that
way since management is easier with packages.

Victor,

Is NFLOG support in 4.0.4 not really working or does it just require a
different syntax when calling suricata to make it work?

Thanks to both of you!
Kevin

On Thu, Apr 26, 2018 at 5:50 PM, Giuseppe Longo <lists at glongo.it> wrote:

>
>
> On 26/04/2018 23:16, Kevin Branch wrote:
>
>> Hi Giuseppe,
>>
>> Sorry, NFLOG seems to be working fine.  I just confirmed iptables is
>> catching intended packets and that tcpdump it picking them up via -i
>> nflog:10.
>> I also confirmed that whether I use my nflog-enabled deb package, or
>> manually do a ./configure --enable-nflog; make; make install,  that I still
>> get that fatal "[ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - initdata == NULL"
>> line.
>> When I run "suricata --help", I see no reference to a --nflog option.
>> Nor is there any reference to nflog at all in the man page.
>>
>>
>> root at o-orlseim01-ptp:~# suricata -c /etc/suricata/suricata.yaml --nflog
>> 10
>> 26/4/2018 -- 17:02:49 - <Notice> - This is Suricata version 4.0.4 RELEASE
>> 26/4/2018 -- 17:02:54 - <Error> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)]
>> - initdata == NULL
>> 26/4/2018 -- 17:02:54 - <Error> - [ERRCODE: SC_ERR_THREAD_INIT(49)] -
>> thread "W#01-10" failed to initialize: flags 0145
>> 26/4/2018 -- 17:02:54 - <Error> - [ERRCODE: SC_ERR_INITIALIZATION(45)] -
>> Engine initialization failed, aborting...
>>
>> root at o-orlseim01-ptp:~# dmesg | tail
>> [179774.299698] Process accounting resumed
>> [266176.455815] Process accounting resumed
>> [352578.755972] Process accounting resumed
>> [376749.756539] SGI XFS with ACLs, security attributes, realtime, no
>> debug enabled
>> [376749.789166] JFS: nTxBlock = 8192, nTxLock = 65536
>> [376749.817938] ntfs: driver 2.1.32 [Flags: R/O MODULE].
>> [376749.880298] QNX4 filesystem 0.2.3 registered.
>> [404679.648500] ip_tables: (C) 2000-2006 Netfilter Core Team
>> [421657.536552] perf interrupt took too long (5003 > 5000), lowering
>> kernel.perf_event_max_sample_rate to 25000
>> [438980.143833] Process accounting resumed
>>
>> root at o-orlseim01-ptp:~# iptables --list -v
>> Chain INPUT (policy ACCEPT 1253K packets, 193M bytes)
>>   pkts bytes target     prot opt in     out     source
>>   destination
>>      2   120 NFLOG      tcp  --  any    any     anywhere
>>   anywhere             tcp dpt:http nflog-group 10
>>
>> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>>   pkts bytes target     prot opt in     out     source
>>   destination
>>
>> Chain OUTPUT (policy ACCEPT 1250K packets, 188M bytes)
>>   pkts bytes target     prot opt in     out     source
>>   destination
>>
>> root at o-orlseim01-ptp:~# tcpdump -i nflog:10 -nn
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>> listening on nflog:10, link-type NFLOG (Linux netfilter log messages),
>> capture size 262144 bytes
>> 17:04:29.772337 IP 172.18.2.107.59519 > 10.18.0.144.80: Flags [S], seq
>> 3035437428, win 14600, options [mss 1460,sackOK,TS val 542358755 ecr
>> 0,nop,wscale 9], length 0
>> 17:04:32.916327 IP 172.18.2.107.59611 > 10.18.0.144.80: Flags [S], seq
>> 4012452713, win 14600, options [mss 1460,sackOK,TS val 542361902 ecr
>> 0,nop,wscale 9], length 0
>> ^C
>> 2 packets captured
>> 2 packets received by filter
>> 0 packets dropped by kernel
>>
>>
> Could you try to update to 4.1.0 ?
>
> You can see below the output that I got:
> # ./bin/suricata -c etc/suricata/suricata.yaml --nflog -vvv
> [25774] 26/4/2018 -- 23:48:12 - (suricata.c:1076) <Notice> (LogVersion) --
> This is Suricata version 4.1.0-dev (rev 2e8fd612a)
> [25774] 26/4/2018 -- 23:48:12 - (util-cpu.c:171) <Info>
> (UtilCpuPrintSummary) -- CPUs/cores online: 4
> [25774] 26/4/2018 -- 23:48:12 - (util-device.c:297) <Config>
> (LiveBuildDeviceListCustom) -- Adding group 10 from config file
> ...
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180426/ab19b8d5/attachment.html>

More information about the Oisf-users mailing list