Support #388
closedSuricata Support in VMs and NFQUEUE Mode
Description
Hi all,
I have successfully setup Suricata on my Centos dedicated server and it appears to be working. However, using the same setup on a Centos VPS , I get IPtables errors when I attempt to run the following command:
iptables -I FORWARD -j NFQUEUE
iptables: Unknown error 4294967295
From my research, NFQUEUE requires 2.6.14 kernel with nfnetlink_queue and nfnetlink modules enabled on IPtables.
The VM provider has indeed confirmed that the VM kernel meets the requirements and that these modules are loaded but for some reasons, I still get the above error when I run the command.
Also I have observed that when running Suricata on the Centos dedicated server with NFQUEUE mode, I get alerts on the fast.log. But on checking the drop.log file, I see no logs there. Please see the output of : iptables -vnL
[root@centos5 ~]# iptables -vnL
Chain INPUT (policy ACCEPT 53M packets, 31G bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 30M packets, 19G bytes)
pkts bytes target prot opt in out source destination
1629K 1273M NFQUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 0
67M 43G NFQUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 0
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
Chain OUTPUT (policy ACCEPT 57M packets, 53G bytes)
pkts bytes target prot opt in out source destination
1000 59956 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
Chain STALLONE-NATPMD (0 references)
pkts bytes target prot opt in out source destination
[root@centos5 ~]#
A sample of the fast.log is shown below:
Priority: 1] {UDP} 10.80.0.14:4310 -> XXX.XXX.XXX.XXX:52984
12/24/2011-12:01:20.584424 [**] [1:2010140:5] ET P2P Vuze BT UDP Connection [**] [Classification: Potential Corporate Privacy Violation] [
Priority: 1] {UDP} 10.80.0.14:4310 -> XXX.XXX.XXX.XXX:63000
12/24/2011-12:01:20.638323 [**] [1:2010140:5] ET P2P Vuze BT UDP Connection [**] [Classification: Potential Corporate Privacy Violation] [
Priority: 1] {UDP} 10.80.0.14:4310 -> XXX.XXX.XXX.XXX:56470
12/24/2011-12:01:20.792278 [**] [1:2010140:5] ET P2P Vuze BT UDP Connection [**] [Classification: Potential Corporate Privacy Violation] [
Priority: 1] {UDP} 10.80.0.14:4310 -> :13519
12/24/2011-12:01:21.003757 [**] [1:2011706:4] ET P2P Bittorrent P2P Client User-Agent (uTorrent) [**] [Classification: Potential Corporate
Privacy Violation] [Priority: 1] {TCP} 10.80.0.10:52510 -> XXX.XXX.XXX.XXX:80
12/24/2011-12:01:21.806950 [**] [1:2011706:4] ET P2P Bittorrent P2P Client User-Agent (uTorrent) [**] [Classification: Potential Corporate
Privacy Violation] [Priority: 1] {TCP} 10.80.0.10:52942 -> 184.22.108.14:80
12/24/2011-12:01:21.806906 [**] [1:2011706:4] ET P2P Bittorrent P2P Client User-Agent (uTorrent) [**] [Classification: Potential Corporate
Privacy Violation] [Priority: 1] {TCP} 10.80.0.10:52943 -> XXX.XXX.XXX.XXX:80
12/24/2011-12:01:21.808770 [**] [1:2010144:5] ET P2P Vuze BT UDP Connection (5) [**] [Classification: Potential Corporate Privacy Violatio
n] [Priority: 1] {UDP} 10.80.0.10:20625 -> XXX.XXX.XXX.XXX:80
12/24/2011-12:01:22.003710 [**] [1:2011706:4] ET P2P Bittorrent P2P Client User-Agent (uTorrent) [**] [Classification: Potential Corporate
Privacy Violation] [Priority: 1] {TCP} 10.80.0.10:52512 -> XXX.XXX.XXX.XXX:80
12/24/2011-12:01:22.542121 [**] [1:2010140:5] ET P2P Vuze BT UDP Connection [**] [Classification: Potential Corporate Privacy Violation] [
Priority: 1] {UDP} 10.80.0.14:4310 -> XXX.XXX.XXX.XXX:17029
12/24/2011-12:01:22.598426 [**] [1:2010140:5] ET P2P Vuze BT UDP Connection [**] [Classification: Potential Corporate Privacy Violation] [
Priority: 1] {UDP} 10.80.0.14:4310 -> XXX.XXX.XXX.XXX:19794
12/24/2011-12:01:22.598411 [**] [1:2010140:5] ET P2P Vuze BT UDP Connection [**] [Classification: Potential Corporate Privacy Violation] [
I need the Suricata setup to detect and block the bad traffic but I don't know how to see if this is working correctly.
Please help.
Thanks