[Oisf-users] Suricata nfqueue does not receive packets

Albert Whale Albert.Whale at IT-Security-inc.com
Thu Mar 8 20:32:35 UTC 2018 

I am running Suricata 4.0.4, and attempting to run with the NFQ. I have 
AF-Packet working perfectly, but I wanted to run in IPS mode, and I 
understand that this is only available while using nfqueue.  Here's the 
Startup log information.

8/3/2018 -- 09:14:19 - <Notice> - This is Suricata version 4.0.4 RELEASE
8/3/2018 -- 09:14:19 - <Info> - CPUs/cores online: 4
8/3/2018 -- 09:14:19 - <Config> - luajit states preallocated: 128
8/3/2018 -- 09:14:19 - <Config> - 'default' server has 
'request-body-minimal-inspect-size' se
t to 31625 and 'request-body-inspect-window' set to 4241 after 
randomization.
8/3/2018 -- 09:14:19 - <Config> - 'default' server has 
'response-body-minimal-inspect-size' s
et to 41627 and 'response-body-inspect-window' set to 16218 after 
randomization.
8/3/2018 -- 09:14:19 - <Config> - DNS request flood protection level: 500
8/3/2018 -- 09:14:19 - <Config> - DNS per flow memcap (state-memcap): 524288
8/3/2018 -- 09:14:19 - <Config> - DNS global memcap: 16777216
8/3/2018 -- 09:14:19 - <Config> - Protocol detection and parser disabled 
for modbus protocol.
8/3/2018 -- 09:14:19 - <Config> - Protocol detection and parser disabled 
for enip protocol.
8/3/2018 -- 09:14:19 - <Config> - Protocol detection and parser disabled 
for DNP3.
8/3/2018 -- 09:14:19 - <Info> - Enabling fail-open on queue
8/3/2018 -- 09:14:19 - <Info> - NFQ running in standard ACCEPT/DROP mode

The IPTables has been configured as such:

iptables -nL  | grep -v DROP
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
NFQUEUE    all  --  0.0.0.0/0            0.0.0.0/0 NFQUEUE num 0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


I also have the following configuration setup for nfq:

nfq:
   mode: accept
   repeat-mark: 1
   repeat-mask: 1
   bypass-mark: 1
   bypass-mask: 1
   route-queue: 2
#  batchcount: 20
   fail-open: yes

This is running on Ubuntu:  #35~16.04.1-Ubuntu

As I mentioned, I successfully launched suricata inline (I have two 
bridged Ethernet interfaces) with af-packet, but I do not see it 
behaving as a True IPS, and while the nfq appears to launch, it is NOT 
processing any packets in the logs.

Any suggestions where to look next?


-- 
--

More information about the Oisf-users mailing list