[Oisf-users] Running Suricata in nfqueue mode - no events logged
Leonard Jacobs
ljacobs at netsecuris.com
Fri Mar 9 20:01:16 UTC 2018
af-packet does its own bridging so you don't have to bridge at the interface level.
Leonard
From: Albert Whale <Albert.Whale at IT-Security-inc.com>
To: <oisf-users at lists.openinfosecfoundation.org>
Sent: 3/9/2018 1:58 PM
Subject: [Oisf-users] Running Suricata in nfqueue mode - no events logged
Ok, I have iptables confirmed and Configured. I have Suricata set up
for nfq and using queue 0.
In a matter of more than 10 minutes I have had 5 messages which were
logged to the fast.log file. In comparison, I have hundreds of entries
in 10 minutes logged while running Suricata in af-packet mode.
What makes Suricata ignore the packets in the NFQUEUE when running in
nfq mode?
My current nfq settings are:
nfq:
mode: accept
repeat-mark: 1
repeat-mask: 1
bypass-mark: 1
bypass-mask: 1
route-queue: 2
# batchcount: 20
fail-open: yes
I want to run in IPS mode not IDS. Is there something that needs
changed when switching from af-packet mode to nfq that I haven't already
done? Do I need to switch my mode from accept to repeat?
I have a Bridged interface and I also have provisioned the IPTables on
the INPUT and OUTPUT sections to forward the packets to queue 0.
I have spent a day working with Chris from the list, and we have
reviewed and sanctioned the network and queue processing, I need
assistance with configuring Suricata to enable this. (Or, do I need to
compile a version on this system running Ubuntu 16.04?
Thank you all.
--
--
Albert E. Whale, CEH CHS CISA CISSP
Email: Albert.Whale at IT-Security-inc.com
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Conference: https://suricon.net
Trainings: https://suricata-ids.org/training/
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error please notify Netsecuris management at mgmt at netsecuris.com. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Netsecuris Inc. The integrity and security of this message cannot be guaranteed on the Internet
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180309/7f463b47/attachment-0002.html>
More information about the Oisf-users
mailing list