https://wiki.ixheim.de/index.php?action=history&feed=atom&title=Suricata_IPS_nftables
Suricata IPS nftables - Versionsgeschichte
2026-06-29T07:54:48Z
Versionsgeschichte dieser Seite in Xinux Wiki
MediaWiki 1.35.1
https://wiki.ixheim.de/index.php?title=Suricata_IPS_nftables&diff=62138&oldid=prev
Thomas.will: /* iptables Version */
2025-04-23T05:21:31Z
<p><span dir="auto"><span class="autocomment">iptables Version</span></span></p>
<table class="diff diff-contentalign-left diff-editfont-monospace" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="de">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Nächstältere Version</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Version vom 23. April 2025, 05:21 Uhr</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l145" >Zeile 145:</td>
<td colspan="2" class="diff-lineno">Zeile 145:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>* Damit Suricata die nicht gedroppten Pakete automatisch akzeptiert, sondern dies der Firewall überlässt, kann es diese Pakete markieren und zurück zu iptables schicken</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>* Damit Suricata die nicht gedroppten Pakete automatisch akzeptiert, sondern dies der Firewall überlässt, kann es diese Pakete markieren und zurück zu iptables schicken</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>* Markierungen folgen der Syntax $''MARK''/$'''MASK'''</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>* Markierungen folgen der Syntax $''MARK''/$'''MASK'''</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">== iptables Version ==</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">* '''vim /usr/local/sbin/firewall'''</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;"> iptables -P FORWARD DROP</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;"> iptables -A FORWARD -m mark ! --mark ''1''/'''1''' -j NFQUEUE</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;"> iptables -A FORWARD -j LOG --log-prefix "iptables return from Suricata: "</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;"> ...</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== nftables Version ==</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== nftables Version ==</div></td></tr>
</table>
Thomas.will
https://wiki.ixheim.de/index.php?title=Suricata_IPS_nftables&diff=62137&oldid=prev
Thomas.will: /* Problematik */
2025-04-23T05:20:44Z
<p><span dir="auto"><span class="autocomment">Problematik</span></span></p>
<table class="diff diff-contentalign-left diff-editfont-monospace" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="de">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Nächstältere Version</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Version vom 23. April 2025, 05:20 Uhr</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l140" >Zeile 140:</td>
<td colspan="2" class="diff-lineno">Zeile 140:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>*'''suricata -D -q 0</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>*'''suricata -D -q 0</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">== Problematik ==</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">* Dadurch, dass Suricata alle Pakete vom LAN zur DMZ behandelt, werden alle Pakete, die nicht ausdrücklich verworfen werden akzeptiert</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">* Wir müssen Suricata also so einstellen, dass es diese Pakete wieder iptables übergibt</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>= NFQUEUE Repeat =</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>= NFQUEUE Repeat =</div></td></tr>
</table>
Thomas.will
https://wiki.ixheim.de/index.php?title=Suricata_IPS_nftables&diff=62136&oldid=prev
Thomas.will: /* Firewallanpassung */
2025-04-23T05:20:06Z
<p><span dir="auto"><span class="autocomment">Firewallanpassung</span></span></p>
<table class="diff diff-contentalign-left diff-editfont-monospace" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="de">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Nächstältere Version</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Version vom 23. April 2025, 05:20 Uhr</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l135" >Zeile 135:</td>
<td colspan="2" class="diff-lineno">Zeile 135:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div> drop http any any -> any any (msg: "Possible Command Injection attack (Contains semicolon POST DATA)"; flow:established,to_server; content:"%3B"; nocase; http_client_body; sid:5;)</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div> drop http any any -> any any (msg: "Possible Command Injection attack (Contains semicolon POST DATA)"; flow:established,to_server; content:"%3B"; nocase; http_client_body; sid:5;)</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">= Firewallanpassung =</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">;Ohne Return von der IPS, Hierzu müsste die IPS der Firewall nachgeschaltet sein.</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">* '''vim /usr/local/sbin/firewall'''</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;"> iptables -P FORWARD DROP</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;"> iptables -A FORWARD -j NFQUEUE</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;"> ...</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==Start suricata==</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==Start suricata==</div></td></tr>
</table>
Thomas.will
https://wiki.ixheim.de/index.php?title=Suricata_IPS_nftables&diff=59553&oldid=prev
Thomas.will: Die Seite wurde neu angelegt: „ =Grundlagen und Installation= *Suricata Grundlagen *Suricata Installation =Versuchsaufbau= {{#drawio:ips-netz}} =IPS= *Wir können mit iptables Pake…“
2025-03-10T20:15:39Z
<p>Die Seite wurde neu angelegt: „ =Grundlagen und Installation= *<a href="/index.php/Suricata_Grundlagen" title="Suricata Grundlagen">Suricata Grundlagen</a> *<a href="/index.php/Suricata_Installation" title="Suricata Installation">Suricata Installation</a> =Versuchsaufbau= {{#drawio:ips-netz}} =IPS= *Wir können mit iptables Pake…“</p>
<p><b>Neue Seite</b></p><div><br />
=Grundlagen und Installation=<br />
*[[Suricata Grundlagen]]<br />
*[[Suricata Installation]]<br />
<br />
=Versuchsaufbau=<br />
{{#drawio:ips-netz}}<br />
<br />
=IPS=<br />
*Wir können mit iptables Pakete abfangen und einer QUEUE übergeben<br />
*Diese QUEUE wird von suricata gelesen und ihrem REGELWERK übergeben.<br />
*Wenn das Paket mit einer Regel übereinstimmt, wird eine Aktion ausgelöst.<br />
*Alert führt zu einer Meldung<br />
*Bei Drop wird das Paket verworfen. <br />
{{#drawio:ips}}<br />
<br />
= Konfiguration Suricata =<br />
<br />
* '''vim /etc/suricata/suricata.yaml'''<br />
<pre><br />
%YAML 1.1<br />
---<br />
# Variablen für die Adressgruppen festlegen<br />
vars:<br />
address-groups:<br />
LAN: "[192.168.10.0/24]"<br />
DMZ: "[172.18.10.0/24]"<br />
INT: "[$LAN,$DMZ]"<br />
EXTERNAL_NET: "!$INT"<br />
<br />
# Standard-Log-Verzeichnis<br />
default-log-dir: /var/log/suricata/<br />
<br />
# Statistiken aktivieren<br />
stats:<br />
enabled: yes<br />
interval: 8<br />
<br />
# Ausgaben konfigurieren<br />
outputs:<br />
- fast:<br />
enabled: yes<br />
filename: fast.log<br />
append: yes<br />
- alert-debug:<br />
enabled: yes<br />
filename: alert-debug.log<br />
append: yes<br />
- stats:<br />
enabled: yes<br />
filename: stats.log<br />
append: yes<br />
totals: yes<br />
threads: no<br />
<br />
# Logging-Einstellungen<br />
logging:<br />
default-log-level: notice<br />
outputs:<br />
- console:<br />
enabled: yes<br />
- file:<br />
enabled: yes<br />
level: info<br />
filename: suricata.log<br />
<br />
# Netzwerkschnittstellen konfigurieren<br />
af-packet:<br />
- interface: enp0s3<br />
threads: auto<br />
cluster-id: 97<br />
cluster-type: cluster_flow<br />
defrag: yes<br />
- interface: enp0s8<br />
threads: auto<br />
cluster-id: 98<br />
cluster-type: cluster_flow<br />
defrag: yes<br />
- interface: enp0s9<br />
threads: auto<br />
cluster-id: 99<br />
cluster-type: cluster_flow<br />
defrag: yes<br />
<br />
# PID-Datei<br />
pid-file: /var/run/suricata.pid<br />
<br />
# Coredump-Einstellungen<br />
coredump:<br />
max-dump: unlimited<br />
<br />
# Host-Modus<br />
host-mode: auto<br />
<br />
# Unix-Befehlseingabe konfigurieren<br />
unix-command:<br />
enabled: yes<br />
filename: /var/run/suricata-command.socket<br />
<br />
# Engine-Analyse-Einstellungen<br />
engine-analysis:<br />
rules-fast-pattern: yes<br />
rules: yes<br />
<br />
# Defragmentierungseinstellungen<br />
defrag:<br />
memcap: 32mb<br />
hash-size: 65536<br />
trackers: 65535<br />
max-frags: 65535<br />
prealloc: yes<br />
timeout: 60<br />
<br />
# Standardregelverzeichnis<br />
default-rule-path: /etc/suricata/rules<br />
<br />
# Regel-Dateien<br />
rule-files:<br />
- local.rules<br />
<br />
# Klassifikationsdatei<br />
classification-file: /etc/suricata/classification.config<br />
<br />
# Referenzkonfigurationsdatei<br />
reference-config-file: /etc/suricata/reference.config<br />
</pre><br />
<br />
= Local Rules =<br />
<br />
*cat /etc/suricata/rules/local.rules<br />
<br />
drop http any any -> any any (msg: "SQL Injection Attempt!"; flow:established,to_server; http.request_body; content: "OR 1=1"; sid:2;)<br />
drop dns any any -> any any (msg:"Kein Googlen"; dns.query; content:"google"; nocase; sid:3;)<br />
drop http any any -> any any (msg: "Possible SQL Injection attack (Contains singlequote POST DATA)"; flow:established,to_server; content:"%27"; nocase; http_client_body; sid:4;)<br />
drop http any any -> any any (msg: "Possible Command Injection attack (Contains semicolon POST DATA)"; flow:established,to_server; content:"%3B"; nocase; http_client_body; sid:5;)<br />
<br />
= Firewallanpassung =<br />
;Ohne Return von der IPS, Hierzu müsste die IPS der Firewall nachgeschaltet sein.<br />
* '''vim /usr/local/sbin/firewall'''<br />
<br />
iptables -P FORWARD DROP<br />
iptables -A FORWARD -j NFQUEUE<br />
...<br />
<br />
==Start suricata==<br />
<br />
*'''suricata -D -q 0<br />
<br />
== Problematik ==<br />
<br />
* Dadurch, dass Suricata alle Pakete vom LAN zur DMZ behandelt, werden alle Pakete, die nicht ausdrücklich verworfen werden akzeptiert<br />
* Wir müssen Suricata also so einstellen, dass es diese Pakete wieder iptables übergibt<br />
<br />
= NFQUEUE Repeat =<br />
<br />
* Damit Suricata die nicht gedroppten Pakete automatisch akzeptiert, sondern dies der Firewall überlässt, kann es diese Pakete markieren und zurück zu iptables schicken<br />
* Markierungen folgen der Syntax $''MARK''/$'''MASK'''<br />
<br />
== iptables Version ==<br />
* '''vim /usr/local/sbin/firewall'''<br />
<br />
iptables -P FORWARD DROP<br />
iptables -A FORWARD -m mark ! --mark ''1''/'''1''' -j NFQUEUE<br />
iptables -A FORWARD -j LOG --log-prefix "iptables return from Suricata: "<br />
...<br />
<br />
== nftables Version ==<br />
* '''vim ''/etc/nftables.conf'' '''<br />
<br />
table inet filter {<br />
...<br />
chain forward {<br />
mark and 1 != 1 queue<br />
...<br />
}<br />
}<br />
<br />
<br />
* '''vim /etc/suricata/suricata.yml'''<br />
<br />
== Suricata Anpassung ==<br />
...<br />
nfq:<br />
mode: repeat<br />
repeat-mark: ''1''<br />
repeat-mask: '''1'''<br />
...<br />
==Start suricata==<br />
<br />
*'''suricata -D -q 0'''<br />
* Den Unterschied zwischen ''repeat'' und ''accept'' kann man mit Ping und SSH testen (falls SSH in der FORWARD Kette blockiert ist)<br />
* Die Verstöße können folgendermaßen gesehen werden<br />
*'''tail -fn0 ''/var/log/suricata/fast.log'' '''<br />
<br />
= Ersatz des IDS durch IPS =<br />
* Die Standard ''.service''-Datei der Debian Installation stellt Suricata in den IDS-Modus<br />
* Für den Start des IPS-Modus über systemd muss eine eigene ''.service''-Datei geschrieben werden<br />
* '''cp ''/lib/systemd/system/suricata.service'' ''suricata-ips.service'' '''<br />
* '''vim ''suricata-ips.service'' '''<br />
<br />
[Unit]<br />
Description=Suricata IDS/IDP daemon<br />
After=network.target network-online.target<br />
Requires=network-online.target<br />
Documentation=man:suricata(8) man:suricatasc(8)<br />
Documentation=https://suricata-ids.org/docs/<br />
<br />
[Service]<br />
Type=forking<br />
#Environment=LD_PRELOAD=/usr/lib/libtcmalloc_minimal.so.4<br />
PIDFile=/run/suricata.pid<br />
ExecStart=/usr/bin/suricata -D -q 0 -c /etc/suricata/suricata.yaml --pidfile /run/suricata.pid<br />
ExecReload=/usr/bin/suricatasc -c reload-rules ; /bin/kill -HUP $MAINPID<br />
ExecStop=/usr/bin/suricatasc -c shutdown<br />
Restart=on-failure<br />
ProtectSystem=full<br />
ProtectHome=true<br />
<br />
[Install]<br />
WantedBy=multi-user.target<br />
<br />
* '''cp ''suricata-ips.service'' ''/etc/systemd/system'' '''<br />
* Wechsel der zu verwendeten ''.service''-Datei<br />
* '''systemctl disable --now suricata.service'''<br />
* '''systemctl enable --now suricata-ips.service'''<br />
<br />
= Links =<br />
<br />
* https://docs.suricata.io/en/suricata-6.0.0/configuration/suricata-yaml.html#nfq<br />
* https://medium.com/@mshulkhan/detection-attack-using-suricata-2-d93d423a435</div>
Thomas.will