Find the answer to your Linux question:
Results 1 to 4 of 4
Hi I have installed the suricata firewall with pf_ring. now I want to integrate the same with iptables. but I am not able to get the proper document for the ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jan 2008
    Posts
    28

    suricata firewall with iptables


    Hi

    I have installed the suricata firewall with pf_ring.
    now I want to integrate the same with iptables.

    but I am not able to get the proper document for the same.

    in suricata log show the rules are loaded but how I verify the that rules or how to integrated with iptables.

    when I checking the in iptables

    iptables -nL its showing the iptables rules that I added but not showing anything related to suricata.

    Please guide for the same.

  2. #2
    Linux Newbie
    Join Date
    Jan 2013
    Posts
    116
    Hi Niraj,

    After successfully loaded rules of suricata, you need manually configure iptables to intigrate with suricata, have you done this configuration/added rules in iptables to send traffic to suricata firewall.

    Thanks

  3. #3
    Just Joined!
    Join Date
    Jan 2008
    Posts
    28
    Hi

    After installation I have run the following command

    /opt/PF_RING/bin/suricata -c /etc/suricata/suricata.yaml -i eth0

    24/4/2013 -- 19:48:46 - <Info> - This is Suricata version 1.4.1 RELEASE
    24/4/2013 -- 19:48:46 - <Info> - CPUs/cores online: 1
    24/4/2013 -- 19:48:46 - <Info> - Found an MTU of 1500 for 'eth0'
    24/4/2013 -- 19:48:46 - <Info> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
    24/4/2013 -- 19:48:46 - <Info> - preallocated 65535 defrag trackers of size 152
    24/4/2013 -- 19:48:46 - <Info> - defrag memory usage: 13631336 bytes, maximum: 33554432
    24/4/2013 -- 19:48:46 - <Info> - AutoFP mode using default "Active Packets" flow load balancer
    24/4/2013 -- 19:48:46 - <Info> - preallocated 1024 packets. Total memory 4362240
    24/4/2013 -- 19:48:46 - <Info> - allocated 229376 bytes of memory for the host hash... 4096 buckets of size 56
    24/4/2013 -- 19:48:46 - <Info> - preallocated 1000 hosts of size 128
    24/4/2013 -- 19:48:46 - <Info> - host memory usage: 357376 bytes, maximum: 16777216
    24/4/2013 -- 19:48:46 - <Info> - allocated 3670016 bytes of memory for the flow hash... 65536 buckets of size 56
    24/4/2013 -- 19:48:46 - <Info> - preallocated 10000 flows of size 280
    24/4/2013 -- 19:48:46 - <Info> - flow memory usage: 6470016 bytes, maximum: 33554432
    24/4/2013 -- 19:48:46 - <Info> - IP reputation disabled
    24/4/2013 -- 19:48:46 - <Info> - using magic-file /usr/share/file/magic
    24/4/2013 -- 19:48:46 - <Info> - Delayed detect disabled
    24/4/2013 -- 19:48:46 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/emerging-icmp.rules
    24/4/2013 -- 19:48:50 - <Info> - 48 rule files processed. 13034 rules successfully loaded, 0 rules failed
    24/4/2013 -- 19:49:12 - <Info> - 13042 signatures processed. 733 are IP-only rules, 4054 are inspecting packet payload, 9962 inspect application layer, 83 are decoder event only
    24/4/2013 -- 19:49:12 - <Info> - building signature grouping structure, stage 1: adding signatures to signature source addresses... complete
    24/4/2013 -- 19:49:13 - <Info> - building signature grouping structure, stage 2: building source address list... complete
    24/4/2013 -- 19:49:16 - <Info> - building signature grouping structure, stage 3: building destination address lists... complete
    24/4/2013 -- 19:49:17 - <Warning> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/opt/PF_RING/etc/suricata//threshold.config": No such file or directory
    24/4/2013 -- 19:49:17 - <Info> - Core dump size set to unlimited.
    24/4/2013 -- 19:49:17 - <Info> - fast output device (regular) initialized: fast.log
    24/4/2013 -- 19:49:17 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
    24/4/2013 -- 19:49:17 - <Info> - http-log output device (regular) initialized: http.log
    24/4/2013 -- 19:49:17 - <Info> - Using 1 live device(s).
    24/4/2013 -- 19:49:17 - <Info> - using interface eth0
    24/4/2013 -- 19:49:17 - <Info> - Found an MTU of 1500 for 'eth0'
    24/4/2013 -- 19:49:17 - <Info> - RunModeIdsPcapAutoFp initialised
    24/4/2013 -- 19:49:17 - <Info> - stream "max-sessions": 262144
    24/4/2013 -- 19:49:17 - <Info> - stream "prealloc-sessions": 32768
    24/4/2013 -- 19:49:17 - <Info> - stream "memcap": 33554432
    24/4/2013 -- 19:49:17 - <Info> - stream "midstream" session pickups: disabled
    24/4/2013 -- 19:49:17 - <Info> - stream "async-oneside": disabled
    24/4/2013 -- 19:49:17 - <Info> - stream "checksum-validation": enabled
    24/4/2013 -- 19:49:17 - <Info> - stream."inline": disabled
    24/4/2013 -- 19:49:17 - <Info> - stream.reassembly "memcap": 67108864
    24/4/2013 -- 19:49:17 - <Info> - stream.reassembly "depth": 1048576
    24/4/2013 -- 19:49:17 - <Info> - stream.reassembly "toserver-chunk-size": 2560
    24/4/2013 -- 19:49:17 - <Info> - stream.reassembly "toclient-chunk-size": 2560
    24/4/2013 -- 19:49:18 - <Info> - all 2 packet processing threads, 3 management threads initialized, engine started.




    Now Please suggest how to integrate this rules with iptables.

    and how can I check the above rules are loaded or not???

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Newbie
    Join Date
    Jan 2013
    Posts
    116
    It seems that you have not installed suricata with nfq, to pass traffic to suricata you need nfq, so please recompile it with nfqueue and follow below url to integrate with iptables. https://redmine.openinfosecfoundatio...line_for_Linux

    Thanks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •