|
suricata integrate with iptables
I have installed the suricata firewall with pf_ring.
now I want to integrate the same with iptables. but I am not able to get the proper document for the same. in suricata log show the rules are loaded but how I verify the that rules or how to integrated with iptables. when I checking the in iptables iptables -nL its showing the iptables rules that I added but not showing anything related to suricata. Please guide for the same. |
Start by confirming you've read any relevant documentation (https://github.com/inliniac/suricata..._for_Linux.txt (http://home.regit.org/2011/04/some-n...cata-1-1beta2/, https://home.regit.org/2011/01/build...liant-ruleset/), https://redmine.openinfosecfoundatio...line_for_Linux), explain how you set up Suricata, post relevant commands and show where (you think) it fails?
|
Hi
I have installed the suricata with PF_RING [root@localhost ~]# /opt/PF_RING/bin/suricata --build-info This is Suricata version 1.4.1 RELEASE Features: LIBPCAP_VERSION_MAJOR=0 PF_RING HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW 64-bits, Little-endian architecture GCC version 4.1.2 20080704 (Red Hat 4.1.2-54), C version 199901 compiled with libhtp 0.2.12, linked against 0.2.12 Suricata Configuration: AF_PACKET support: no PF_RING support: yes NFQueue support: no IPFW support: no DAG enabled: no Napatech enabled: no Unix socket enabled: no libnss support: no libnspr support: no libjansson support: no Prelude support: no PCRE jit: no libluajit: no libgeoip: no Non-bundled htp: no Old barnyard2 support: no CUDA enabled: no Suricatasc install: yes Unit tests enabled: no Debug output enabled: no Debug validation enabled: no Profiling enabled: no Profiling locks enabled: no Generic build parameters: Installation prefix (--prefix): /opt/PF_RING Configuration directory (--sysconfdir): /opt/PF_RING/etc/suricata/ Log directory (--localstatedir) : /opt/PF_RING/var/log/suricata/ Host: x86_64-unknown-linux-gnu GCC binary: gcc GCC Protect enabled: no GCC march native enabled: yes GCC Profile enabled: no Then run the below command to start suricata /opt/PF_RING/bin/suricata -c /etc/suricata/suricata.yaml -i eth0 24/4/2013 -- 19:48:46 - <Info> - This is Suricata version 1.4.1 RELEASE 24/4/2013 -- 19:48:46 - <Info> - CPUs/cores online: 1 24/4/2013 -- 19:48:46 - <Info> - Found an MTU of 1500 for 'eth0' 24/4/2013 -- 19:48:46 - <Info> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56 24/4/2013 -- 19:48:46 - <Info> - preallocated 65535 defrag trackers of size 152 24/4/2013 -- 19:48:46 - <Info> - defrag memory usage: 13631336 bytes, maximum: 33554432 24/4/2013 -- 19:48:46 - <Info> - AutoFP mode using default "Active Packets" flow load balancer 24/4/2013 -- 19:48:46 - <Info> - preallocated 1024 packets. Total memory 4362240 24/4/2013 -- 19:48:46 - <Info> - allocated 229376 bytes of memory for the host hash... 4096 buckets of size 56 24/4/2013 -- 19:48:46 - <Info> - preallocated 1000 hosts of size 128 24/4/2013 -- 19:48:46 - <Info> - host memory usage: 357376 bytes, maximum: 16777216 24/4/2013 -- 19:48:46 - <Info> - allocated 3670016 bytes of memory for the flow hash... 65536 buckets of size 56 24/4/2013 -- 19:48:46 - <Info> - preallocated 10000 flows of size 280 24/4/2013 -- 19:48:46 - <Info> - flow memory usage: 6470016 bytes, maximum: 33554432 24/4/2013 -- 19:48:46 - <Info> - IP reputation disabled 24/4/2013 -- 19:48:46 - <Info> - using magic-file /usr/share/file/magic 24/4/2013 -- 19:48:46 - <Info> - Delayed detect disabled 24/4/2013 -- 19:48:46 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/emerging-icmp.rules 24/4/2013 -- 19:48:50 - <Info> - 48 rule files processed. 13034 rules successfully loaded, 0 rules failed 24/4/2013 -- 19:49:12 - <Info> - 13042 signatures processed. 733 are IP-only rules, 4054 are inspecting packet payload, 9962 inspect application layer, 83 are decoder event only 24/4/2013 -- 19:49:12 - <Info> - building signature grouping structure, stage 1: adding signatures to signature source addresses... complete 24/4/2013 -- 19:49:13 - <Info> - building signature grouping structure, stage 2: building source address list... complete 24/4/2013 -- 19:49:16 - <Info> - building signature grouping structure, stage 3: building destination address lists... complete 24/4/2013 -- 19:49:17 - <Warning> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/opt/PF_RING/etc/suricata//threshold.config": No such file or directory 24/4/2013 -- 19:49:17 - <Info> - Core dump size set to unlimited. 24/4/2013 -- 19:49:17 - <Info> - fast output device (regular) initialized: fast.log 24/4/2013 -- 19:49:17 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB 24/4/2013 -- 19:49:17 - <Info> - http-log output device (regular) initialized: http.log 24/4/2013 -- 19:49:17 - <Info> - Using 1 live device(s). 24/4/2013 -- 19:49:17 - <Info> - using interface eth0 24/4/2013 -- 19:49:17 - <Info> - Found an MTU of 1500 for 'eth0' 24/4/2013 -- 19:49:17 - <Info> - RunModeIdsPcapAutoFp initialised 4/4/2013 -- 19:49:17 - <Info> - stream "max-sessions": 262144 24/4/2013 -- 19:49:17 - <Info> - stream "prealloc-sessions": 32768 24/4/2013 -- 19:49:17 - <Info> - stream "memcap": 33554432 24/4/2013 -- 19:49:17 - <Info> - stream "midstream" session pickups: disabled 24/4/2013 -- 19:49:17 - <Info> - stream "async-oneside": disabled 24/4/2013 -- 19:49:17 - <Info> - stream "checksum-validation": enabled 24/4/2013 -- 19:49:17 - <Info> - stream."inline": disabled 24/4/2013 -- 19:49:17 - <Info> - stream.reassembly "memcap": 67108864 24/4/2013 -- 19:49:17 - <Info> - stream.reassembly "depth": 1048576 24/4/2013 -- 19:49:17 - <Info> - stream.reassembly "toserver-chunk-size": 2560 24/4/2013 -- 19:49:17 - <Info> - stream.reassembly "toclient-chunk-size": 2560 24/4/2013 -- 19:49:18 - <Info> - all 2 packet processing threads, 3 management threads initialized, engine started. Now Please suggest how to integrate this rules with iptables. and how can I check the above rules are loaded or not??? |
Quote:
|
| All times are GMT -5. The time now is 03:29 AM. |