Suricata IPS for running server

Posted on by Andy

Make sure that suricata is started with “-q 0” parameter so it uses NFQUEUE!

In /etc/suricata/suricata.yaml change to:

nfq:
    mode: repeat
    repeat-mark: 1
    repeat-mask: 1

In /etc/ufw/before.rules and /etc/ufw/before6.rules insert section:

### SURICATA ###
-I INPUT 1 -p tcp --dport 22 -j NFQUEUE --queue-bypass
-I OUTPUT 1 -p tcp --sport 22 -j NFQUEUE --queue-bypass
-I FORWARD 1 -m mark ! --mark 1/1 -j NFQUEUE
-I INPUT 2 -m mark ! --mark 1/1 -j NFQUEUE
-I OUTPUT 2 -m mark ! --mark 1/1 -j NFQUEUE
### END SURICATA ###

In case you are on RHEL or alike:

firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 22 -j NFQUEUE --queue-bypass
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -j NFQUEUE
firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 0 -p tcp --dport 22 -j NFQUEUE --queue-bypass
firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 1 -j NFQUEUE

firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -j NFQUEUE
firewall-cmd --permanent --direct --add-rule ipv6 filter FORWARD 0 -j NFQUEUE

firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -p tcp --sport 22 -j NFQUEUE --queue-bypass
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -j NFQUEUE
firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 0 -p tcp --sport 22 -j NFQUEUE --queue-bypass
firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 1 -j NFQUEUE

Leave a Reply

Your email address will not be published. Required fields are marked *

Blue Captcha Image Refresh

*