不多说,直接上干货!

  

  见官网

https://suricata.readthedocs.io/en/latest/setting-up-ipsinline-for-linux.html

11. Setting up IPS/inline for Linux

In this guide will be explained how to work with Suricata in layer3 inline mode and how to set iptables for that purpose.

First start with compiling Suricata with NFQ support. For instructions see Ubuntu Installation. For more information about NFQ and iptables, see NFQ.

To check if you have NFQ enabled in your Suricata, enter the following command:

suricata --build-info

and examine if you have NFQ between the features.

To run suricata with the NFQ mode, you have to make use of the -q option. This option tells Suricata which of the queue numbers it should use.

sudo suricata -c /etc/suricata/suricata.yaml -q 0

11.1. Iptables configuration

First of all it is important to know which traffic you would like to send to Suricata. Traffic that passes your computer or traffic that is generated by your computer.

 

If Suricata is running on a gateway and is meant to protect the computers behind that gateway you are dealing with the first scenario: forward_ing . If Suricata has to protect the computer it is running on, you are dealing with the second scenario: host (see drawing 2). These two ways of using Suricata can also be combined.

The easiest rule in case of the gateway-scenario to send traffic to Suricata is:

sudo iptables -I FORWARD -j NFQUEUE

In this case, all forwarded traffic goes to Suricata.

In case of the host situation, these are the two most simple iptable rules;

sudo iptables -I INPUT -j NFQUEUE

sudo iptables -I OUTPUT -j NFQUEUE

It is possible to set a queue number. If you do not, the queue number will be 0 by default.

Imagine you want Suricata to check for example just TCP-traffic, or all incoming traffic on port 80, or all traffic on destination-port 80, you can do so like this:

sudo iptables -I INPUT -p tcp  -j NFQUEUE

sudo iptables -I OUTPUT -p tcp -j NFQUEUE

In this case, Suricata checks just TCP traffic.

sudo iptables -I INPUT -p tcp --sport 80  -j NFQUEUE

sudo iptables -I OUTPUT -p tcp --dport 80 -j NFQUEUE

In this example, Suricata checks all input and output on port 80.

 

To see if you have set your iptables rules correct make sure Suricata is running and enter:

sudo iptables -vnL

In the example you can see if packets are being logged.

This description of the use of iptables is the way to use it with IPv4. To use it with IPv6 all previous mentioned commands have to start with ‘ip6tables’. It is also possible to let Suricata check both kinds of traffic.

There is also a way to use iptables with multiple networks (and interface cards). Example:

sudo iptables -I FORWARD -i eth0 -o eth1 -j NFQUEUE

sudo iptables -I FORWARD -i eth1 -o eth0 -j NFQUEUE

The options -i (input) -o (output) can be combined with all previous mentioned options

If you would stop Suricata and use internet, the traffic will not come through. To make internet work correctly, you have to erase all iptable rules.

To erase all iptable rules, enter:

sudo iptables -F

Setting up IPS/inline for Linux in Suricata的更多相关文章

  1. The Guideline of Setting Up Samba Server on linux(Ubuntu)

    The Guideline of Setting Up Samba Server on linux(Ubuntu) From terminate command window, install the ...

  2. Suricata, to 10Gbps and beyond(X86架构)

    Introduction Since the beginning of July 2012, OISF team is able to access to a server where one int ...

  3. Kali linux 2016.2(Rolling)中的payloads模块详解

    不多说,直接上干货! 前期博客 Kali linux 2016.2(Rolling)中的Exploits模块详解 payloads模块,也就是shellcode,就是在漏洞利用成功后所要做的事情.在M ...

  4. Linux 驱动开发

    linux驱动开发总结(一) 基础性总结 1, linux驱动一般分为3大类: * 字符设备 * 块设备 * 网络设备 2, 开发环境构建: * 交叉工具链构建 * NFS和tftp服务器安装 3, ...

  5. 使用.NetCore在Linux上写TCP listen 重启后无法绑定地址

    拥抱.net core的过程中, 将公司的一套java项目改成了.net core 2.0版的. 里面的tcp服务被我用msdn的SocketAsyncEventArgs方式重写了, 然而在测试的过程 ...

  6. linux记录-docker配置mysql

    docker部署mysql 1.拉取镜像 docker pull mysql 2.docker  rm   containerID  删除镜像iD 3.创建镜像 docker run --name=m ...

  7. linux从head.s到start_kernelstart_kernel之---内核重定位后分析

    参考: https://biscuitos.github.io/blog/ARM-BOOT/ zImage 重定位之后实践 zImage 重定位之后,ARM 将 pc 指针指向了重定位 zImage ...

  8. Linux设备驱动中的阻塞和非阻塞I/O <转载>

    Green 博客园 首页 新随笔 联系 订阅 管理 Linux设备驱动中的阻塞和非阻塞I/O   [基本概念] 1.阻塞 阻塞操作是指在执行设备操作时,托不能获得资源,则挂起进程直到满足操作所需的条件 ...

  9. pytbull 手册

    - Official documentation for pytbull v2.1 - Table of content Description Architecture Remote mode Lo ...

随机推荐

  1. java -jar 与nohup的区别

    ——作为java程序员,经常会遇到这样一个问题,打个jar包,测试或者上线生产,于是乎面临的选择来了,java –jar or nohup? 下面我来扒一扒: 一.    java -jar a.ja ...

  2. IDEA中Git的应用场景

    工作中多人使用版本控制软件协作开发,常见的应用场景归纳如下: 假设小组中有两个人,组长小张,组员小袁 场景一:小张创建项目并提交到远程Git仓库 场景二:小袁从远程git仓库上获取项目源码 场景三:小 ...

  3. JSON与localStorage的爱恨情仇

    在使用localStorage时,我们会给一个key存取一个value,这个value可以是一个普通的字符串,也可以是一个对象,如果是一个字符串,我们就需要通过JSON.stringify来转化为JS ...

  4. C++使用模板、函数指针、接口和lambda表达式这四种方法做回调函数的区别比较

    在C++中,两个类之间存在一种关系,某个类需要另外一个类去完成某一个功能,完成了之后需要告知该类结果,这种最普通最常见的需求,往往使用回调函数来解决. 如题,我总结下来有这么四种方式可以完成这项功能, ...

  5. mysql 发生系统错误1067

    一般是由配置文件错误语法不正确引起的,如my.ini本人在mysql mysql-5.6.29-winx64 配置过程中遇到“发生系统错误1067”主要由于下面两个目录写的格式不正确引起的正确写法如下 ...

  6. HDFS运维和优化

    常见问题 下面列举HDFS运行过程中可能出现的常见问题及解决方法,这些问题一般都会在日志中出现的相应的记录.Incompatible clusterIDs in … :namenode cluster ...

  7. css3的渐变效果

    1.css3 渐变的属性 例子: #grad { background: -webkit-linear-gradient(red, blue); /* Safari 5.1 - 6.0 */ back ...

  8. 织梦dedecms中修改标题与简略标题长度的方法

    本文介绍了dedecms中修改标题与简略标题长度的方法,进入dedecms后台,系统——系统基本参数——其他选项——文档标题最大长度——在这修改为200或更大. 一.修改标题 进入dedecms后台, ...

  9. maven配置本地仓库和国内镜像仓库,解决国内访问国外中央仓库速度过慢问题

    Maven项目对象模型(POM),可以通过一小段描述信息来管理项目的构建,报告和文档的软件项目管理工具. 1.配置本地仓库   打开conf文件夹下面的setting.xml文件 红色方框为配置本地仓 ...

  10. 每次rand出来都是41?说好的随机数呢?!

    rand()函数是C++标准函数库提供的随机数生成器,生成0-RAND_MAX之间的一个"伪随机"整数,理论上可以产生的最大数值为2^16-1,即32767. rand()函数不接 ...