问题描述
我有Suricata 5.0.3,需要启用IPS模式。首先,我尝试使用NFQ示例。
iptables命令:iptables -t mangle -I PREROUTING -p tcp -m tcp --dport 80 -m mark ! --mark 0x1/0x1 -j NFQUEUE --queue-num 0
suricata.yaml:
default-rule-path: /etc/suricata
rule-files:
- test.rules
nfq:
mode: repeat
repeat-mark: 1
repeat-mask: 1
# bypass-mark: 1
# bypass-mask: 1
# route-queue: 2
batchcount: 20
# fail-open: yes
默认为其他字段。
test.rules:pass tcp any any -> any any (content: "TEST"; msg: "TEST was marked!"; nfq_set_mark:0x2/0xffffffff; sid:2455;)
启动suricata的命令:
suricata -q 0 -c /etc/suricata/suricata.yaml
结果我变成了:
17/9/2020 -- 12:55:34 - <Notice> - This is Suricata version 5.0.3 RELEASE running in SYstem mode
17/9/2020 -- 12:55:34 - <Info> - cpus/cores online: 12
17/9/2020 -- 12:55:34 - <Info> - NFQ running in REPEAT mode with mark 1/1
17/9/2020 -- 12:55:34 - <Info> - fast output device (regular) initialized: fast.log
17/9/2020 -- 12:55:34 - <Info> - eve-log output device (regular) initialized: eve.json
17/9/2020 -- 12:55:34 - <Info> - stats output device (regular) initialized: stats.log
17/9/2020 -- 12:55:34 - <Info> - Running in live mode,activating unix socket
17/9/2020 -- 12:55:34 - <Info> - 1 rule files processed. 1 rules successfully loaded,0 rules Failed
17/9/2020 -- 12:55:34 - <Info> - Threshold config parsed: 0 rule(s) found
17/9/2020 -- 12:55:34 - <Info> - 1 signatures processed. 0 are IP-only rules,1 are inspecting packet payload,0 inspect application layer,0 are decoder event only
17/9/2020 -- 12:55:34 - <Info> - binding this thread 0 to queue '0'
17/9/2020 -- 12:55:34 - <Error> - [ERRCODE: SC_ERR_NFQ_CREATE_QUEUE(72)] - nfq_create_queue Failed
17/9/2020 -- 12:55:34 - <Error> - [ERRCODE: SC_ERR_NFQ_THREAD_INIT(78)] - nfq thread Failed to initialize
我认为iptables队列有问题,但我不确定。
root@test:/etc/suricata# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)