suricata firewall integrate with iptables

310 views
Skip to first unread message

niraj vara

unread,
Apr 24, 2013, 2:02:11 AM4/24/13
to vglug

   I have installed the suricata firewall with pf_ring in centos 5.6.
now I want to integrate the same with iptables.

but I am not able to get the proper document for the same.

in suricata log show the rules are loaded but how I verify  that rules or how to integrated with iptables.

when I checking the in iptables

iptables -nL   its showing the iptables rules that I added but not showing anything related to suricata.

Please guide for the same.


--
Niraj M. Vara
Linux Administrator
Mavenvista Pvt. Ltd.
Mobile : 8000977677

"DON'T TELL ME THE SKY IS THE LIMIT, THERE ARE FOOTPRINTS ON THE MOON"

nehal dattani

unread,
Apr 24, 2013, 5:33:47 AM4/24/13
to vg...@googlegroups.com

--
Please read http://www.catb.org/~esr/faqs/smart-questions.html before posting.
You received this message because you are subscribed to the "Vibrant GNU/Linux User Group".
To stop receiving emails from this group, mail to VGLUG+un...@googlegroups.com
To post to this group, send email to VG...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/VGLUG
 
---
You received this message because you are subscribed to the Google Groups "VGLUG" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vglug+un...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 



--
The production of too many useful things results in too many useless people.

With best regards,
Nehal Dattani

niraj vara

unread,
Apr 24, 2013, 6:33:27 AM4/24/13
to vglug
Hi

   I had checked the same but its for NFQueue, and I have installed  suricata with  PF_RING I think both are different.


[root@localhost ~]# /opt/PF_RING/bin/suricata --build-info
This is Suricata version 1.4.1 RELEASE
Features: LIBPCAP_VERSION_MAJOR=0 PF_RING HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW
64-bits, Little-endian architecture
GCC version 4.1.2 20080704 (Red Hat 4.1.2-54), C version 199901
compiled with libhtp 0.2.12, linked against 0.2.12
Suricata Configuration:
AF_PACKET support: no
PF_RING support: yes
NFQueue support: no
IPFW support: no
DAG enabled: no
Napatech enabled: no
Unix socket enabled: no

libnss support: no
libnspr support: no
libjansson support: no
Prelude support: no
PCRE jit: no
libluajit: no
libgeoip: no
Non-bundled htp: no
Old barnyard2 support: no
CUDA enabled: no

Suricatasc install: yes

Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Profiling enabled: no
Profiling locks enabled: no

Generic build parameters:
Installation prefix (--prefix): /opt/PF_RING
Configuration directory (--sysconfdir): /opt/PF_RING/etc/suricata/
Log directory (--localstatedir) : /opt/PF_RING/var/log/suricata/

Host: x86_64-unknown-linux-gnu
GCC binary: gcc
GCC Protect enabled: no
GCC march native enabled: yes
GCC Profile enabled: no


Then run the below command to start suricata

/opt/PF_RING/bin/suricata -c /etc/suricata/suricata.yaml -i eth0

24/4/2013 -- 19:48:46 - <Info> - This is Suricata version 1.4.1 RELEASE
24/4/2013 -- 19:48:46 - <Info> - CPUs/cores online: 1
24/4/2013 -- 19:48:46 - <Info> - Found an MTU of 1500 for 'eth0'
24/4/2013 -- 19:48:46 - <Info> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
24/4/2013 -- 19:48:46 - <Info> - preallocated 65535 defrag trackers of size 152
24/4/2013 -- 19:48:46 - <Info> - defrag memory usage: 13631336 bytes, maximum: 33554432
24/4/2013 -- 19:48:46 - <Info> - AutoFP mode using default "Active Packets" flow load balancer
24/4/2013 -- 19:48:46 - <Info> - preallocated 1024 packets. Total memory 4362240
24/4/2013 -- 19:48:46 - <Info> - allocated 229376 bytes of memory for the host hash... 4096 buckets of size 56
24/4/2013 -- 19:48:46 - <Info> - preallocated 1000 hosts of size 128
24/4/2013 -- 19:48:46 - <Info> - host memory usage: 357376 bytes, maximum: 16777216
24/4/2013 -- 19:48:46 - <Info> - allocated 3670016 bytes of memory for the flow hash... 65536 buckets of size 56
24/4/2013 -- 19:48:46 - <Info> - preallocated 10000 flows of size 280
24/4/2013 -- 19:48:46 - <Info> - flow memory usage: 6470016 bytes, maximum: 33554432
24/4/2013 -- 19:48:46 - <Info> - IP reputation disabled
24/4/2013 -- 19:48:46 - <Info> - using magic-file /usr/share/file/magic
24/4/2013 -- 19:48:46 - <Info> - Delayed detect disabled
24/4/2013 -- 19:48:46 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/emerging-icmp.rules
24/4/2013 -- 19:48:50 - <Info> - 48 rule files processed. 13034 rules successfully loaded, 0 rules failed
24/4/2013 -- 19:49:12 - <Info> - 13042 signatures processed. 733 are IP-only rules, 4054 are inspecting packet payload, 9962 inspect application layer, 83 are decoder event only
24/4/2013 -- 19:49:12 - <Info> - building signature grouping structure, stage 1: adding signatures to signature source addresses... complete
24/4/2013 -- 19:49:13 - <Info> - building signature grouping structure, stage 2: building source address list... complete
24/4/2013 -- 19:49:16 - <Info> - building signature grouping structure, stage 3: building destination address lists... complete
24/4/2013 -- 19:49:17 - <Warning> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/opt/PF_RING/etc/suricata//threshold.config": No such file or directory
24/4/2013 -- 19:49:17 - <Info> - Core dump size set to unlimited.
24/4/2013 -- 19:49:17 - <Info> - fast output device (regular) initialized: fast.log
24/4/2013 -- 19:49:17 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
24/4/2013 -- 19:49:17 - <Info> - http-log output device (regular) initialized: http.log
24/4/2013 -- 19:49:17 - <Info> - Using 1 live device(s).
24/4/2013 -- 19:49:17 - <Info> - using interface eth0
24/4/2013 -- 19:49:17 - <Info> - Found an MTU of 1500 for 'eth0'
24/4/2013 -- 19:49:17 - <Info> - RunModeIdsPcapAutoFp initialised
4/4/2013 -- 19:49:17 - <Info> - stream "max-sessions": 262144
24/4/2013 -- 19:49:17 - <Info> - stream "prealloc-sessions": 32768
24/4/2013 -- 19:49:17 - <Info> - stream "memcap": 33554432
24/4/2013 -- 19:49:17 - <Info> - stream "midstream" session pickups: disabled
24/4/2013 -- 19:49:17 - <Info> - stream "async-oneside": disabled
24/4/2013 -- 19:49:17 - <Info> - stream "checksum-validation": enabled
24/4/2013 -- 19:49:17 - <Info> - stream."inline": disabled
24/4/2013 -- 19:49:17 - <Info> - stream.reassembly "memcap": 67108864
24/4/2013 -- 19:49:17 - <Info> - stream.reassembly "depth": 1048576
24/4/2013 -- 19:49:17 - <Info> - stream.reassembly "toserver-chunk-size": 2560
24/4/2013 -- 19:49:17 - <Info> - stream.reassembly "toclient-chunk-size": 2560
24/4/2013 -- 19:49:18 - <Info> - all 2 packet processing threads, 3 management threads initialized, engine started.



above command shows that rules are loaded but I was not able to integrate with the firewall

nehal dattani

unread,
Apr 24, 2013, 8:59:53 PM4/24/13
to vg...@googlegroups.com
Hi,




>
>
>    I had checked the same but its for NFQueue, and I have installed  suricata with  PF_RING I think both are different.


Of-course both are different.  But the real question is, what made you installing suricata with PF_RING support and not with NF_QUEUE support ?

Please see these lines from the same URL I had given previously.

"In this guide will be explained how to work with Suricata in inline mode and how to set iptables for that purpose.

First start with compiling Suricata with NFQ support. For instructions see Ubuntu Installation.
For more information about NFQ and iptables, see suricata.yaml."



It says. "First start with compiling Suricata with NFQ support."

Please try the instructions given in document and let me know if you still have problem.

--
Reply all
Reply to author
Forward
0 new messages