Project

General

Profile

Actions
Copy link

Support #2135

closed

Suricata IPS Inline on a bridge not working

Added by Fuad Kamal over 7 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
OISF Dev
Affected Versions:
Label:

Description

Hi,
I have installed Suricata 3 on Ubuntu 16.04
I followed the instructions in :
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Setting_up_IPSinline_for_Linux
also, same instructions in :
https://taosecurity.blogspot.com.eg/2014/01/suricata-20beta2-lsb_release -aas-ips-on-ubuntu-1204.html

Bridge is working fine.
I tested both scenarios, Host, and forward_ing as per first link.

- Host Scenario, both alert and drop work fine on the Bridge machine.
I use :
sudo iptables -A INPUT -j NFQUEUE
sudo iptables -A OUTPUT -j NFQUEUE
sudo suricata -c /etc/suricata/suricata.yaml.1 -q 0
and ymal file has nfq as accept

forward_ing scenario, alert works from remote PC, but drop does not. That means that bridge and NFQUEUE are both working fine.
I use :
sudo iptables -I FORWARD -j NFQUEUE
sudo suricata -c /etc/suricata/suricata.yaml.1 -q 0
and ymal file has nfq as accept

If I run suricata as below, I get [wdrop] in forward_ing mode :
sudo iptables -A OUTPUT -j NFQUEUE -o bridge0

I can not find why packets are not dropped in forward_ing scenario using NFQ, while alert is working fine.
Attached is the yaml configuration file I use.

Regards,
Fuad

Files

suricata.yaml.1 (60.9 KB) suricata.yaml.1 Fuad Kamal, 06/07/2017 03:18 PM
Actions
Copy link

Also available in: Atom PDF