How to resolve [ERRCODE: SC_ERR_NFQ_CREATE_QUEUE(72)] - nfq_create_queue failed at IPS Suricata

Question

How to resolve [ERRCODE: SC_ERR_NFQ_CREATE_QUEUE(72)] - nfq_create_queue failed at IPS Suricata

I have Suricata 5.0.3 and I need to enable IPS mode. At first, I try with NFQ example.

iptables command: iptables -t mangle -I PREROUTING -p tcp -m tcp --dport 80 -m mark ! --mark 0x1/0x1 -j NFQUEUE --queue-num 0

suricata.yaml:

default-rule-path: /etc/suricata

rule-files:
  - test.rules

nfq:
  mode: repeat
  repeat-mark: 1
  repeat-mask: 1
#  bypass-mark: 1
#  bypass-mask: 1
#  route-queue: 2
  batchcount: 20
#  fail-open: yes

Other fields are default.

test.rules: pass tcp any any -> any any (content: "TEST"; msg: "TEST was marked!"; nfq_set_mark:0x2/0xffffffff; sid:2455;)

Command to start suricata: suricata -q 0 -c /etc/suricata/suricata.yaml

As result I became:

17/9/2020 -- 12:55:34 - <Notice> - This is Suricata version 5.0.3 RELEASE running in SYSTEM mode
17/9/2020 -- 12:55:34 - <Info> - CPUs/cores online: 12
17/9/2020 -- 12:55:34 - <Info> - NFQ running in REPEAT mode with mark 1/1
17/9/2020 -- 12:55:34 - <Info> - fast output device (regular) initialized: fast.log
17/9/2020 -- 12:55:34 - <Info> - eve-log output device (regular) initialized: eve.json
17/9/2020 -- 12:55:34 - <Info> - stats output device (regular) initialized: stats.log
17/9/2020 -- 12:55:34 - <Info> - Running in live mode, activating unix socket
17/9/2020 -- 12:55:34 - <Info> - 1 rule files processed. 1 rules successfully loaded, 0 rules failed
17/9/2020 -- 12:55:34 - <Info> - Threshold config parsed: 0 rule(s) found
17/9/2020 -- 12:55:34 - <Info> - 1 signatures processed. 0 are IP-only rules, 1 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only
17/9/2020 -- 12:55:34 - <Info> - binding this thread 0 to queue '0'
17/9/2020 -- 12:55:34 - <Error> - [ERRCODE: SC_ERR_NFQ_CREATE_QUEUE(72)] - nfq_create_queue failed
17/9/2020 -- 12:55:34 - <Error> - [ERRCODE: SC_ERR_NFQ_THREAD_INIT(78)] - nfq thread failed to initialize

I think, that I have problems with iptables queue, but I'm not sure.

root@test:/etc/suricata# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

iptables

suricata

asked on Stack Overflow Sep 17, 2020 by

RAGDKED

0 Answers

Nobody has answered this question yet.

User contributions licensed under CC BY-SA 3.0