[Oisf-users] Suricata nfqueue does not receive packets

Chris Boley ilgtech75 at gmail.com
Thu Mar 8 22:06:14 UTC 2018


Sorry I replied directly the first time.
Are the frames crossing the bridge tagged with vlan ID’s?

On Thu, Mar 8, 2018 at 3:33 PM Albert Whale <
Albert.Whale at it-security-inc.com> wrote:

> I am running Suricata 4.0.4, and attempting to run with the NFQ. I have
> AF-Packet working perfectly, but I wanted to run in IPS mode, and I
> understand that this is only available while using nfqueue.  Here's the
> Startup log information.
>
> 8/3/2018 -- 09:14:19 - <Notice> - This is Suricata version 4.0.4 RELEASE
> 8/3/2018 -- 09:14:19 - <Info> - CPUs/cores online: 4
> 8/3/2018 -- 09:14:19 - <Config> - luajit states preallocated: 128
> 8/3/2018 -- 09:14:19 - <Config> - 'default' server has
> 'request-body-minimal-inspect-size' se
> t to 31625 and 'request-body-inspect-window' set to 4241 after
> randomization.
> 8/3/2018 -- 09:14:19 - <Config> - 'default' server has
> 'response-body-minimal-inspect-size' s
> et to 41627 and 'response-body-inspect-window' set to 16218 after
> randomization.
> 8/3/2018 -- 09:14:19 - <Config> - DNS request flood protection level: 500
> 8/3/2018 -- 09:14:19 - <Config> - DNS per flow memcap (state-memcap):
> 524288
> 8/3/2018 -- 09:14:19 - <Config> - DNS global memcap: 16777216
> 8/3/2018 -- 09:14:19 - <Config> - Protocol detection and parser disabled
> for modbus protocol.
> 8/3/2018 -- 09:14:19 - <Config> - Protocol detection and parser disabled
> for enip protocol.
> 8/3/2018 -- 09:14:19 - <Config> - Protocol detection and parser disabled
> for DNP3.
> 8/3/2018 -- 09:14:19 - <Info> - Enabling fail-open on queue
> 8/3/2018 -- 09:14:19 - <Info> - NFQ running in standard ACCEPT/DROP mode
>
> The IPTables has been configured as such:
>
> iptables -nL  | grep -v DROP
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
>
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> NFQUEUE    all  --  0.0.0.0/0            0.0.0.0/0 NFQUEUE num 0
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>
>
> I also have the following configuration setup for nfq:
>
> nfq:
>    mode: accept
>    repeat-mark: 1
>    repeat-mask: 1
>    bypass-mark: 1
>    bypass-mask: 1
>    route-queue: 2
> #  batchcount: 20
>    fail-open: yes
>
> This is running on Ubuntu:  #35~16.04.1-Ubuntu
>
> As I mentioned, I successfully launched suricata inline (I have two
> bridged Ethernet interfaces) with af-packet, but I do not see it
> behaving as a True IPS, and while the nfq appears to launch, it is NOT
> processing any packets in the logs.
>
> Any suggestions where to look next?
>
>
> --
> --
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180308/53e8bf36/attachment-0002.html>


More information about the Oisf-users mailing list