From 8879b125d26e8db1a5633de5a9c692eb2d1c4f83 Mon Sep 17 00:00:00 2001 From: Ashlee Young Date: Wed, 9 Sep 2015 22:21:41 -0700 Subject: suricata checkin based on commit id a4bce14770beee46a537eda3c3f6e8e8565d5d0a Change-Id: I9a214fa0ee95e58fc640e50bd604dac7f42db48f --- .../doc/Setting_up_IPSinline_for_Linux.txt | 83 ++++++++++++++++++++++ 1 file changed, 83 insertions(+) create mode 100644 framework/src/suricata/doc/Setting_up_IPSinline_for_Linux.txt (limited to 'framework/src/suricata/doc/Setting_up_IPSinline_for_Linux.txt') diff --git a/framework/src/suricata/doc/Setting_up_IPSinline_for_Linux.txt b/framework/src/suricata/doc/Setting_up_IPSinline_for_Linux.txt new file mode 100644 index 00000000..68eaceac --- /dev/null +++ b/framework/src/suricata/doc/Setting_up_IPSinline_for_Linux.txt @@ -0,0 +1,83 @@ +Autogenerated on 2012-11-29 +from - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Setting_up_IPSinline_for_Linux + + +Setting up IPS/inline for Linux + +In this guide will be explained how to work with Suricata in inline mode and +how to set iptables for that purpose. +First start with compiling Suricata with NFQ support. For instructions see +Ubuntu_Installation. +For more information about NFQ and iptables, see suricata.yaml. +To check if you have NFQ enabled in your Suricata, enter the following command: + + suricata --build-info + +and examine if you have NFQ between the features. +To run suricata with the NFQ mode, you have to make use of the -q option. This +option tells Suricata which of the queue numbers it should use. + + sudo suricata -c /etc/suricata/suricata.yaml -q 0 + + +Iptables configuration + +First of all it is important to know which traffic you would like to send to +Suricata. Traffic that passes your computer or traffic that is generated by +your computer. + +If Suricata is running on a gateway and is meant to protect the computers +behind that gateway you are dealing with the first scenario: forward_ing . +If Suricata has to protect the computer it is running on, you are dealing with +the second scenario: host (see drawing 2). +These two ways of using Suricata can also be combined. +The easiest rule in case of the gateway-scenario to send traffic to Suricata +is: + + sudo iptables -I FORWARD -j NFQUEUE + +In this case, all forwarded traffic goes to Suricata. +In case of the host situation, these are the two most simple iptable rules; + + sudo iptables -I INPUT -j NFQUEUE + sudo iptables -I OUTPUT -j NFQUEUE + +It is possible to set a queue number. If you do not, the queue number will be 0 +by default. +Imagine you want Suricata to check for example just TCP-traffic, or all +incoming traffic on port 80, or all traffic on destination-port 80, you can do +so like this: + + sudo iptables -I INPUT -p tcp -j NFQUEUE + sudo iptables -I OUTPUT -p tcp -j NFQUEUE + +In this case, Suricata checks just TCP traffic. + + sudo iptables -I INPUT -p tcp --sport 80 -j NFQUEUE + sudo iptables -I OUTPUT -p tcp --dport 80 -j NFQUEUE + +In this example, Suricata checks all input and output on port 80. + +To see if you have set your iptables rules correct make sure Suricata is +running and enter: + + sudo iptables -vnL + +In the example you can see if packets are being logged. +This description of the use of iptables is the way to use it with IPv4. To use +it with IPv6 all previous mentioned commands have to start with 'ip6tables'. It +is also possible to let Suricata check both kinds of traffic. +There is also a way to use iptables with multiple networks (and interface +cards). Example: + + sudo iptables -I FORWARD -i eth0 -o eth1 -j NFQUEUE + sudo iptables -I FORWARD -i eth1 -o eth0 -j NFQUEUE + +The options -i (input) -o (output) can be combined with all previous mentioned +options +If you would stop Suricata and use internet, the traffic will not come through. +To make internet work correctly, you have to erase all iptable rules. +To erase all iptable rules, enter: + + sudo iptables -F + -- cgit 1.2.3-korg