Suricata IPS for running server

Posted on by Andy

Make sure that suricata is started with “-q 0” parameter so it uses NFQUEUE!

In /etc/suricata/suricata.yaml change to:

nfq:
    mode: repeat
    repeat-mark: 1
    repeat-mask: 1

In /etc/ufw/before.rules and /etc/ufw/before6.rules insert section:

### SURICATA ###
-I INPUT 1 -p tcp --dport 22 -j NFQUEUE --queue-bypass
-I OUTPUT 1 -p tcp --sport 22 -j NFQUEUE --queue-bypass
-I FORWARD 1 -m mark ! --mark 1/1 -j NFQUEUE
-I INPUT 2 -m mark ! --mark 1/1 -j NFQUEUE
-I OUTPUT 2 -m mark ! --mark 1/1 -j NFQUEUE
### END SURICATA ###

In case you are on RHEL or alike edit /etc/firewalld/direct.xml:

IPTABLES (passthrough):

<?xml version="1.0" encoding="utf-8"?>
<direct>
  <passthrough ipv="ipv4">-I INPUT 1 -p tcp --dport 22 -m mark ! --mark 1/1 -j NFQUEUE --queue-bypass</passthrough>
  <passthrough ipv="ipv6">-I INPUT 1 -p tcp --dport 22 -m mark ! --mark 1/1 -j NFQUEUE --queue-bypass</passthrough>
  <passthrough ipv="ipv4">-I INPUT 2 -m mark ! --mark 1/1 -j NFQUEUE</passthrough>
  <passthrough ipv="ipv6">-I INPUT 2 -m mark ! --mark 1/1 -j NFQUEUE</passthrough>
  <passthrough ipv="ipv4">-I OUTPUT 1 -m mark ! --mark 1/1 -j NFQUEUE</passthrough>
  <passthrough ipv="ipv6">-I OUTPUT 1 -m mark ! --mark 1/1 -j NFQUEUE</passthrough>
  <passthrough ipv="ipv4">-I FORWARD 1 -m mark ! --mark 1/1 -j NFQUEUE</passthrough>
  <passthrough ipv="ipv6">-I FORWARD 1 -m mark ! --mark 1/1 -j NFQUEUE</passthrough>
</direct>

NFTABLES (rule):

<?xml version="1.0" encoding="utf-8"?>
<direct>
  <rule ipv="ipv4" table="filter" chain="INPUT" priority="0">-p tcp --dport 22 -j NFQUEUE --queue-bypass</rule>
  <rule ipv="ipv4" table="filter" chain="INPUT" priority="1">-m mark '!' --mark 1/1 -j NFQUEUE</rule>
  <rule ipv="ipv4" table="filter" chain="OUTPUT" priority="1">-m mark '!' --mark 1/1 -j NFQUEUE</rule>
  <rule ipv="ipv6" table="filter" chain="INPUT" priority="0">-p tcp --dport 22 -j NFQUEUE --queue-bypass</rule>
  <rule ipv="ipv6" table="filter" chain="INPUT" priority="1">-m mark '!' --mark 1/1 -j NFQUEUE</rule>
  <rule ipv="ipv6" table="filter" chain="OUTPUT" priority="1">-m mark '!' --mark 1/1 -j NFQUEUE</rule>
  <rule ipv="ipv4" table="filter" chain="FORWARD" priority="0">-m mark '!' --mark 1/1 -j NFQUEUE</rule>
  <rule ipv="ipv6" table="filter" chain="FORWARD" priority="0">-m mark '!' --mark 1/1 -j NFQUEUE</rule>
</direct>