LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-24-2013, 01:39 AM   #1
niraj.vara
LQ Newbie
 
Registered: May 2009
Posts: 27

Rep: Reputation: 0
suricata integrate with iptables


I have installed the suricata firewall with pf_ring.
now I want to integrate the same with iptables.

but I am not able to get the proper document for the same.

in suricata log show the rules are loaded but how I verify the that rules or how to integrated with iptables.

when I checking the in iptables

iptables -nL its showing the iptables rules that I added but not showing anything related to suricata.

Please guide for the same.
 
Old 04-24-2013, 02:34 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Start by confirming you've read any relevant documentation (https://github.com/inliniac/suricata..._for_Linux.txt (http://home.regit.org/2011/04/some-n...cata-1-1beta2/, https://home.regit.org/2011/01/build...liant-ruleset/), https://redmine.openinfosecfoundatio...line_for_Linux), explain how you set up Suricata, post relevant commands and show where (you think) it fails?
 
Old 04-24-2013, 05:08 AM   #3
niraj.vara
LQ Newbie
 
Registered: May 2009
Posts: 27

Original Poster
Rep: Reputation: 0
Hi

I have installed the suricata with PF_RING
[root@localhost ~]# /opt/PF_RING/bin/suricata --build-info
This is Suricata version 1.4.1 RELEASE
Features: LIBPCAP_VERSION_MAJOR=0 PF_RING HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW
64-bits, Little-endian architecture
GCC version 4.1.2 20080704 (Red Hat 4.1.2-54), C version 199901
compiled with libhtp 0.2.12, linked against 0.2.12
Suricata Configuration:
AF_PACKET support: no
PF_RING support: yes
NFQueue support: no
IPFW support: no
DAG enabled: no
Napatech enabled: no
Unix socket enabled: no

libnss support: no
libnspr support: no
libjansson support: no
Prelude support: no
PCRE jit: no
libluajit: no
libgeoip: no
Non-bundled htp: no
Old barnyard2 support: no
CUDA enabled: no

Suricatasc install: yes

Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Profiling enabled: no
Profiling locks enabled: no

Generic build parameters:
Installation prefix (--prefix): /opt/PF_RING
Configuration directory (--sysconfdir): /opt/PF_RING/etc/suricata/
Log directory (--localstatedir) : /opt/PF_RING/var/log/suricata/

Host: x86_64-unknown-linux-gnu
GCC binary: gcc
GCC Protect enabled: no
GCC march native enabled: yes
GCC Profile enabled: no


Then run the below command to start suricata

/opt/PF_RING/bin/suricata -c /etc/suricata/suricata.yaml -i eth0

24/4/2013 -- 19:48:46 - <Info> - This is Suricata version 1.4.1 RELEASE
24/4/2013 -- 19:48:46 - <Info> - CPUs/cores online: 1
24/4/2013 -- 19:48:46 - <Info> - Found an MTU of 1500 for 'eth0'
24/4/2013 -- 19:48:46 - <Info> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
24/4/2013 -- 19:48:46 - <Info> - preallocated 65535 defrag trackers of size 152
24/4/2013 -- 19:48:46 - <Info> - defrag memory usage: 13631336 bytes, maximum: 33554432
24/4/2013 -- 19:48:46 - <Info> - AutoFP mode using default "Active Packets" flow load balancer
24/4/2013 -- 19:48:46 - <Info> - preallocated 1024 packets. Total memory 4362240
24/4/2013 -- 19:48:46 - <Info> - allocated 229376 bytes of memory for the host hash... 4096 buckets of size 56
24/4/2013 -- 19:48:46 - <Info> - preallocated 1000 hosts of size 128
24/4/2013 -- 19:48:46 - <Info> - host memory usage: 357376 bytes, maximum: 16777216
24/4/2013 -- 19:48:46 - <Info> - allocated 3670016 bytes of memory for the flow hash... 65536 buckets of size 56
24/4/2013 -- 19:48:46 - <Info> - preallocated 10000 flows of size 280
24/4/2013 -- 19:48:46 - <Info> - flow memory usage: 6470016 bytes, maximum: 33554432
24/4/2013 -- 19:48:46 - <Info> - IP reputation disabled
24/4/2013 -- 19:48:46 - <Info> - using magic-file /usr/share/file/magic
24/4/2013 -- 19:48:46 - <Info> - Delayed detect disabled
24/4/2013 -- 19:48:46 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/emerging-icmp.rules
24/4/2013 -- 19:48:50 - <Info> - 48 rule files processed. 13034 rules successfully loaded, 0 rules failed
24/4/2013 -- 19:49:12 - <Info> - 13042 signatures processed. 733 are IP-only rules, 4054 are inspecting packet payload, 9962 inspect application layer, 83 are decoder event only
24/4/2013 -- 19:49:12 - <Info> - building signature grouping structure, stage 1: adding signatures to signature source addresses... complete
24/4/2013 -- 19:49:13 - <Info> - building signature grouping structure, stage 2: building source address list... complete
24/4/2013 -- 19:49:16 - <Info> - building signature grouping structure, stage 3: building destination address lists... complete
24/4/2013 -- 19:49:17 - <Warning> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/opt/PF_RING/etc/suricata//threshold.config": No such file or directory
24/4/2013 -- 19:49:17 - <Info> - Core dump size set to unlimited.
24/4/2013 -- 19:49:17 - <Info> - fast output device (regular) initialized: fast.log
24/4/2013 -- 19:49:17 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
24/4/2013 -- 19:49:17 - <Info> - http-log output device (regular) initialized: http.log
24/4/2013 -- 19:49:17 - <Info> - Using 1 live device(s).
24/4/2013 -- 19:49:17 - <Info> - using interface eth0
24/4/2013 -- 19:49:17 - <Info> - Found an MTU of 1500 for 'eth0'
24/4/2013 -- 19:49:17 - <Info> - RunModeIdsPcapAutoFp initialised
4/4/2013 -- 19:49:17 - <Info> - stream "max-sessions": 262144
24/4/2013 -- 19:49:17 - <Info> - stream "prealloc-sessions": 32768
24/4/2013 -- 19:49:17 - <Info> - stream "memcap": 33554432
24/4/2013 -- 19:49:17 - <Info> - stream "midstream" session pickups: disabled
24/4/2013 -- 19:49:17 - <Info> - stream "async-oneside": disabled
24/4/2013 -- 19:49:17 - <Info> - stream "checksum-validation": enabled
24/4/2013 -- 19:49:17 - <Info> - stream."inline": disabled
24/4/2013 -- 19:49:17 - <Info> - stream.reassembly "memcap": 67108864
24/4/2013 -- 19:49:17 - <Info> - stream.reassembly "depth": 1048576
24/4/2013 -- 19:49:17 - <Info> - stream.reassembly "toserver-chunk-size": 2560
24/4/2013 -- 19:49:17 - <Info> - stream.reassembly "toclient-chunk-size": 2560
24/4/2013 -- 19:49:18 - <Info> - all 2 packet processing threads, 3 management threads initialized, engine started.




Now Please suggest how to integrate this rules with iptables.

and how can I check the above rules are loaded or not???
 
Old 04-24-2013, 05:32 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by niraj.vara View Post
Now Please suggest how to integrate this rules with iptables.
You will please read suricata-.*/doc/Setting_up_IPSinline_for_Linux.txt
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Suricata 1.4 improves performance and adds experimental features LXer Syndicated Linux News 0 12-14-2012 11:51 PM
LXer: Suricata 1.3 released LXer Syndicated Linux News 0 07-10-2012 02:13 AM
iptables error in android: iptables-save and iptables-restore not working preetb123 Linux - Mobile 5 04-11-2011 02:56 PM
iptables v1.2.9: Unknown arg `/sbin/iptables' Try `iptables -h' or 'iptables --help' Niceman2005 Linux - Security 4 12-29-2005 09:20 PM
how to integrate c++ into mpich alisha Programming 0 03-26-2004 03:51 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:31 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration