I have Suricata 5.0.3 and I need to enable IPS mode. At first, I try with NFQ example.
iptables command: iptables -t mangle -I PREROUTING -p tcp -m tcp --dport 80 -m mark ! --mark 0x1/0x1 -j NFQUEUE --queue-num 0
suricata.yaml:
default-rule-path: /etc/suricata
rule-files:
- test.rules
nfq:
mode: repeat
repeat-mark: 1
repeat-mask: 1
# bypass-mark: 1
# bypass-mask: 1
# route-queue: 2
batchcount: 20
# fail-open: yes
Other fields are default.
test.rules: pass tcp any any -> any any (content: "TEST"; msg: "TEST was marked!"; nfq_set_mark:0x2/0xffffffff; sid:2455;)
Command to start suricata:
suricata -q 0 -c /etc/suricata/suricata.yaml
As result I became:
17/9/2020 -- 12:55:34 - <Notice> - This is Suricata version 5.0.3 RELEASE running in SYSTEM mode
17/9/2020 -- 12:55:34 - <Info> - CPUs/cores online: 12
17/9/2020 -- 12:55:34 - <Info> - NFQ running in REPEAT mode with mark 1/1
17/9/2020 -- 12:55:34 - <Info> - fast output device (regular) initialized: fast.log
17/9/2020 -- 12:55:34 - <Info> - eve-log output device (regular) initialized: eve.json
17/9/2020 -- 12:55:34 - <Info> - stats output device (regular) initialized: stats.log
17/9/2020 -- 12:55:34 - <Info> - Running in live mode, activating unix socket
17/9/2020 -- 12:55:34 - <Info> - 1 rule files processed. 1 rules successfully loaded, 0 rules failed
17/9/2020 -- 12:55:34 - <Info> - Threshold config parsed: 0 rule(s) found
17/9/2020 -- 12:55:34 - <Info> - 1 signatures processed. 0 are IP-only rules, 1 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only
17/9/2020 -- 12:55:34 - <Info> - binding this thread 0 to queue '0'
17/9/2020 -- 12:55:34 - <Error> - [ERRCODE: SC_ERR_NFQ_CREATE_QUEUE(72)] - nfq_create_queue failed
17/9/2020 -- 12:55:34 - <Error> - [ERRCODE: SC_ERR_NFQ_THREAD_INIT(78)] - nfq thread failed to initialize
I think, that I have problems with iptables queue, but I'm not sure.
root@test:/etc/suricata# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
User contributions licensed under CC BY-SA 3.0