[Oisf-users] Suricata NFQ in PREROUTING chain

Pavel Stepanov rif.nsk at gmail.com
Tue May 28 02:06:39 UTC 2019

It is a default router setup, except this (for debugging):

  - fast:
      enabled: yes
      filename: fast.log
      append: yes
  - http-log:
      enabled: yes
      filename: http.log
      append: yes
      extended: yes     # enable this for extended logging information
  - tls-log:
      enabled: yes  # Log TLS connections.
      filename: tls.log # File to store TLS logs.
      append: yes
      extended: yes     # Log extended information like fingerprint
      session-resumption: yes

and this

  mode: repeat
  repeat-mark: 1
  repeat-mask: 1

When I do
iptables -t mangle -F ; iptables -t mangle -A FORWARD -m mark ! --mark 0x1/0x1 -j NFQUEUE --queue-num 0
/var/log/suricata/tls.log and /var/log/suricata/http.log shows all http and tls traffic normally.
But when I do
iptables -t mangle -F ; iptables -t mangle -A PREROUTING -m mark ! --mark 0x1/0x1 -j NFQUEUE --queue-num 0
/var/log/suricata/tls.log and /var/log/suricata/http.log stops show anything anymore.

Howewer, detecting and blocking simple ip and icmp protocols works as usual.

Suricata is suricata-4.1.4-1.fc29.x86_64 from "Copr repo for suricata-stable owned by jasonish". 
Command line arguments is /sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid -q 0
Kernel is 5.0.17-200.fc29.x86_64
OS is Fedora 29
Regards, Pavel

-----Original Message-----
From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org> On Behalf Of Andreas Herz
Sent: Tuesday, May 28, 2019 3:42 AM
To: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Suricata NFQ in PREROUTING chain


On 27/05/19 at 14:23, Pavel Stepanov wrote:
> Hi all!
> I am testing IPS mode and discovered an issue:
> Suricata can not detect TLS and HTTP in PREROUTING chain in mangle 
> table. In FORWARD chain all works as expected.
> But I want to use PREROUTING because I need suricata's nfq marks 
> _before_ routing decision in kernel.

Can you share us more details about your setup and how you did configure this?

Andreas Herz
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

Conference: https://suricon.net
Trainings: https://suricata-ids.org/training/

More information about the Oisf-users mailing list