[Oisf-users] Running Suricata in nfqueue mode - no events logged

Leonard Jacobs ljacobs at netsecuris.com
Fri Mar 9 20:01:16 UTC 2018 

af-packet does its own bridging so you don't have to bridge at the interface level.

Leonard



 From:   Albert Whale <Albert.Whale at IT-Security-inc.com> 
 To:   <oisf-users at lists.openinfosecfoundation.org> 
 Sent:   3/9/2018 1:58 PM 
 Subject:   [Oisf-users] Running Suricata in nfqueue mode - no events logged 

Ok, I have iptables confirmed and Configured.  I have Suricata set up 
for nfq and using queue 0.

In a matter of more than 10 minutes I have had 5 messages which were 
logged to the fast.log file.  In comparison, I have hundreds of entries 
in 10 minutes logged while running Suricata in af-packet mode.

What makes Suricata ignore the packets in the NFQUEUE when running in 
nfq mode?

My current nfq settings are:

nfq:
   mode: accept
   repeat-mark: 1
   repeat-mask: 1
   bypass-mark: 1
   bypass-mask: 1
   route-queue: 2
#  batchcount: 20
   fail-open: yes

I want to run in IPS mode not IDS.  Is there something that needs 
changed when switching from af-packet mode to nfq that I haven't already 
done?  Do I need to switch my mode from accept to repeat?

I have a Bridged interface and I also have provisioned the IPTables on 
the INPUT and OUTPUT sections to forward the packets to queue 0.

I have spent a day working with Chris from the list, and we have 
reviewed and sanctioned the network and queue processing, I need 
assistance with configuring Suricata to enable this.  (Or, do I need to 
compile a version on this system running Ubuntu 16.04?

Thank you all.

-- 
--

Albert E. Whale, CEH CHS CISA CISSP
Email: Albert.Whale at IT-Security-inc.com

_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

Conference: https://suricon.net
Trainings: https://suricata-ids.org/training/

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error please notify Netsecuris management at mgmt at netsecuris.com. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Netsecuris Inc. The integrity and security of this message cannot be guaranteed on the Internet 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180309/7f463b47/attachment-0002.html>

More information about the Oisf-users mailing list