[Oisf-users] [Spam Score 5.768] Re: Running Suricata in nfqueue mode - no events logged

Albert E Whale Albert.Whale at IT-Security-inc.com
Fri Mar 9 20:49:51 UTC 2018


What are you saying?  I have bridging, and tried to enabled nfq. What am I missing?

Sent from my iPhone

> On Mar 9, 2018, at 3:01 PM, Leonard Jacobs <ljacobs at netsecuris.com> wrote:
> 
> af-packet does its own bridging so you don't have to bridge at the interface level.
> 
> Leonard
> 
> 
> From: Albert Whale <Albert.Whale at IT-Security-inc.com> 
> To: <oisf-users at lists.openinfosecfoundation.org> 
> Sent: 3/9/2018 1:58 PM 
> Subject: [Oisf-users] Running Suricata in nfqueue mode - no events logged 
> 
> Ok, I have iptables confirmed and Configured.  I have Suricata set up 
> for nfq and using queue 0.
> 
> In a matter of more than 10 minutes I have had 5 messages which were 
> logged to the fast.log file.  In comparison, I have hundreds of entries 
> in 10 minutes logged while running Suricata in af-packet mode.
> 
> What makes Suricata ignore the packets in the NFQUEUE when running in 
> nfq mode?
> 
> My current nfq settings are:
> 
> nfq:
>   mode: accept
>   repeat-mark: 1
>   repeat-mask: 1
>   bypass-mark: 1
>   bypass-mask: 1
>   route-queue: 2
> #  batchcount: 20
>   fail-open: yes
> 
> I want to run in IPS mode not IDS.  Is there something that needs 
> changed when switching from af-packet mode to nfq that I haven't already 
> done?  Do I need to switch my mode from accept to repeat?
> 
> I have a Bridged interface and I also have provisioned the IPTables on 
> the INPUT and OUTPUT sections to forward the packets to queue 0.
> 
> I have spent a day working with Chris from the list, and we have 
> reviewed and sanctioned the network and queue processing, I need 
> assistance with configuring Suricata to enable this.  (Or, do I need to 
> compile a version on this system running Ubuntu 16.04?
> 
> Thank you all.
> 
> -- 
> --
> 
> Albert E. Whale, CEH CHS CISA CISSP
> Email: Albert.Whale at IT-Security-inc.com
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
> 
> 
> This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error please notify Netsecuris management at mgmt at netsecuris.com. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Netsecuris Inc. The integrity and security of this message cannot be guaranteed on the Internet 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180309/71c51d85/attachment-0002.html>


More information about the Oisf-users mailing list