Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
04-24-2013, 01:39 AM
|
#1
|
LQ Newbie
Registered: May 2009
Posts: 27
Rep:
|
suricata integrate with iptables
I have installed the suricata firewall with pf_ring.
now I want to integrate the same with iptables.
but I am not able to get the proper document for the same.
in suricata log show the rules are loaded but how I verify the that rules or how to integrated with iptables.
when I checking the in iptables
iptables -nL its showing the iptables rules that I added but not showing anything related to suricata.
Please guide for the same.
|
|
|
04-24-2013, 02:34 AM
|
#2
|
Moderator
Registered: May 2001
Posts: 29,415
|
|
|
|
04-24-2013, 05:08 AM
|
#3
|
LQ Newbie
Registered: May 2009
Posts: 27
Original Poster
Rep:
|
Hi
I have installed the suricata with PF_RING
[root@localhost ~]# /opt/PF_RING/bin/suricata --build-info
This is Suricata version 1.4.1 RELEASE
Features: LIBPCAP_VERSION_MAJOR=0 PF_RING HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW
64-bits, Little-endian architecture
GCC version 4.1.2 20080704 (Red Hat 4.1.2-54), C version 199901
compiled with libhtp 0.2.12, linked against 0.2.12
Suricata Configuration:
AF_PACKET support: no
PF_RING support: yes
NFQueue support: no
IPFW support: no
DAG enabled: no
Napatech enabled: no
Unix socket enabled: no
libnss support: no
libnspr support: no
libjansson support: no
Prelude support: no
PCRE jit: no
libluajit: no
libgeoip: no
Non-bundled htp: no
Old barnyard2 support: no
CUDA enabled: no
Suricatasc install: yes
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Profiling enabled: no
Profiling locks enabled: no
Generic build parameters:
Installation prefix (--prefix): /opt/PF_RING
Configuration directory (--sysconfdir): /opt/PF_RING/etc/suricata/
Log directory (--localstatedir) : /opt/PF_RING/var/log/suricata/
Host: x86_64-unknown-linux-gnu
GCC binary: gcc
GCC Protect enabled: no
GCC march native enabled: yes
GCC Profile enabled: no
Then run the below command to start suricata
/opt/PF_RING/bin/suricata -c /etc/suricata/suricata.yaml -i eth0
24/4/2013 -- 19:48:46 - <Info> - This is Suricata version 1.4.1 RELEASE
24/4/2013 -- 19:48:46 - <Info> - CPUs/cores online: 1
24/4/2013 -- 19:48:46 - <Info> - Found an MTU of 1500 for 'eth0'
24/4/2013 -- 19:48:46 - <Info> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
24/4/2013 -- 19:48:46 - <Info> - preallocated 65535 defrag trackers of size 152
24/4/2013 -- 19:48:46 - <Info> - defrag memory usage: 13631336 bytes, maximum: 33554432
24/4/2013 -- 19:48:46 - <Info> - AutoFP mode using default "Active Packets" flow load balancer
24/4/2013 -- 19:48:46 - <Info> - preallocated 1024 packets. Total memory 4362240
24/4/2013 -- 19:48:46 - <Info> - allocated 229376 bytes of memory for the host hash... 4096 buckets of size 56
24/4/2013 -- 19:48:46 - <Info> - preallocated 1000 hosts of size 128
24/4/2013 -- 19:48:46 - <Info> - host memory usage: 357376 bytes, maximum: 16777216
24/4/2013 -- 19:48:46 - <Info> - allocated 3670016 bytes of memory for the flow hash... 65536 buckets of size 56
24/4/2013 -- 19:48:46 - <Info> - preallocated 10000 flows of size 280
24/4/2013 -- 19:48:46 - <Info> - flow memory usage: 6470016 bytes, maximum: 33554432
24/4/2013 -- 19:48:46 - <Info> - IP reputation disabled
24/4/2013 -- 19:48:46 - <Info> - using magic-file /usr/share/file/magic
24/4/2013 -- 19:48:46 - <Info> - Delayed detect disabled
24/4/2013 -- 19:48:46 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/emerging-icmp.rules
24/4/2013 -- 19:48:50 - <Info> - 48 rule files processed. 13034 rules successfully loaded, 0 rules failed
24/4/2013 -- 19:49:12 - <Info> - 13042 signatures processed. 733 are IP-only rules, 4054 are inspecting packet payload, 9962 inspect application layer, 83 are decoder event only
24/4/2013 -- 19:49:12 - <Info> - building signature grouping structure, stage 1: adding signatures to signature source addresses... complete
24/4/2013 -- 19:49:13 - <Info> - building signature grouping structure, stage 2: building source address list... complete
24/4/2013 -- 19:49:16 - <Info> - building signature grouping structure, stage 3: building destination address lists... complete
24/4/2013 -- 19:49:17 - <Warning> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/opt/PF_RING/etc/suricata//threshold.config": No such file or directory
24/4/2013 -- 19:49:17 - <Info> - Core dump size set to unlimited.
24/4/2013 -- 19:49:17 - <Info> - fast output device (regular) initialized: fast.log
24/4/2013 -- 19:49:17 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
24/4/2013 -- 19:49:17 - <Info> - http-log output device (regular) initialized: http.log
24/4/2013 -- 19:49:17 - <Info> - Using 1 live device(s).
24/4/2013 -- 19:49:17 - <Info> - using interface eth0
24/4/2013 -- 19:49:17 - <Info> - Found an MTU of 1500 for 'eth0'
24/4/2013 -- 19:49:17 - <Info> - RunModeIdsPcapAutoFp initialised
4/4/2013 -- 19:49:17 - <Info> - stream "max-sessions": 262144
24/4/2013 -- 19:49:17 - <Info> - stream "prealloc-sessions": 32768
24/4/2013 -- 19:49:17 - <Info> - stream "memcap": 33554432
24/4/2013 -- 19:49:17 - <Info> - stream "midstream" session pickups: disabled
24/4/2013 -- 19:49:17 - <Info> - stream "async-oneside": disabled
24/4/2013 -- 19:49:17 - <Info> - stream "checksum-validation": enabled
24/4/2013 -- 19:49:17 - <Info> - stream."inline": disabled
24/4/2013 -- 19:49:17 - <Info> - stream.reassembly "memcap": 67108864
24/4/2013 -- 19:49:17 - <Info> - stream.reassembly "depth": 1048576
24/4/2013 -- 19:49:17 - <Info> - stream.reassembly "toserver-chunk-size": 2560
24/4/2013 -- 19:49:17 - <Info> - stream.reassembly "toclient-chunk-size": 2560
24/4/2013 -- 19:49:18 - <Info> - all 2 packet processing threads, 3 management threads initialized, engine started.
Now Please suggest how to integrate this rules with iptables.
and how can I check the above rules are loaded or not???
|
|
|
04-24-2013, 05:32 PM
|
#4
|
Moderator
Registered: May 2001
Posts: 29,415
|
Quote:
Originally Posted by niraj.vara
Now Please suggest how to integrate this rules with iptables.
|
You will please read suricata-.*/doc/Setting_up_IPSinline_for_Linux.txt
|
|
|
All times are GMT -5. The time now is 11:31 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|