Suricata

Sorry:
Is not INPUT, I use FORWARD:
"iptables -A INPUT -j NFQUEUE --queue-num 0" -> "iptables -A FORWARD -j NFQUEUE --queue-num 0"

Thx.

Are you sure you're getting the SC_ERR_LIBNET_WRIT error even with only "drop" rules? That would be strange as the reject code should not be activated in that case.

Hello,

you're right, the error is only when the reject is enable, no drop. Sorry. The full errror with reject option is this:

[ 1675.365811] IN=br0 OUT=br0 PHYSIN=eth2 PHYSOUT=eth1 SRC=192.168.2.1 DST=192.168.2.104 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=24988
[7558] 2/1/2000 -- 18:24:52 - (respond-reject-libnet11.c:172) <Error> (RejectSendLibnet11L3IPv4TCP) -- [ERRCODE: SC_ERR_LIBNET_WRITE_FAILED(145)] - libnet_write failed: libnet)

Now, drop works in bridge mode if i change the iptables rule:
iptables -A FORWARD -j NFQUEUE --queue-num 0

For that rule:
iptables -A FORWARD -j NFQUEUE --queue-num 0 -m physdev --physdev-in eth2 --physdev-out eth1

It works now but only in one direction.

Now i am working for read in two directions but i can't do it.

PD: Next week i want to import private certificate web for read SSL sesions(it's posible?)

Hi Joaquin.

As far as I know suricata cannot read ssl session (even with the certificate). If you find a way to inject decrypted traffic temporarily to an interface/nfqueue, then you can inspect it as normal. But suricata doesn't decrypt ssl sessions itself. Anyway, if you find a way to do it, please, share it here ;)

Regarding to directions, if you specify --physdev-in eth2 --physdev-out eth1 it will only work from eth2 to eth1. I'm not familiar to nfqueue, but what about specifying
iptables -A FORWARD -j NFQUEUE --queue-num 0 -i br0
Does it work?