IPS mode using NFQ

IPS mode using NFQ¶

NFQUEUE is an iptables and ip6tables target entity that delegate the decision on packets to a user space software like IPS.

To enable IPS mode using ``NFQ``:

  1. Install Netfilter packages:

    sudo apt-get -y install libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0
    
  2. Configure Suricata with --enable-nfqueue option.

  3. Build and install.

  4. Configure iptables.

    • To scan bridged packets, add the rule:

      sudo iptables -I FORWARD -j NFQUEUE
      
    • To use repeat Suricata NFQ mode, add the rule below specifying a source chain you need:

      iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE``
      

      This rule forwards packets to NFQUEUE only if they do not have a specified mark that can be set by Suricata after packet processing.

    Warning

    If you stop Suricata, the packets that come into NFQUEUE will not be processed and, as a result, will not be passed further.

    Note

    On Linux with the kernel version greater or equal 3.6, set the fail-open option to yes in suricata.yaml to make the kernel accept the packet if Suricata is not able to keep pace.

  5. Configure Suricata NFQ modes in the suricata.yaml configuration file:

    • Accept

      In default NFQ mode, Suricata generates a terminal verdict: pass or drop. A packet will not be inspected by the rest of the iptables rules.

    • Repeat

      Suricata generates a non-terminal verdict and mark the packets that will be reinjected again at the first rule of iptables. Add the following rule to iptables:

      iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE
      
    • Route

      To send a packet to another queue after an ACCEPT decision, set mode to route and set route-queue value. Use a route mode to scan packets with multiple network scanners on the same VM.

    The example of the NFQ configuration in suricata.yaml:

    nfq:
    mode: accept # nfq mode: accept, repeat, route
    repeat-mark: 1 # used for repeat mode to mark a packet
    repeat-mask: 1 # used for repeat mode to mark a packet
    route-queue: 2 # for 'route' mode
    batchcount: 20 # max length of a batching verdict cache
    fail-open: yes # a packet is accepted when queue is full
    
  6. Start Suricata to filter packets in NFQUEUE:

    suricata -c /etc/suricata/suricata.yaml -q 0 -D
    

    Note

    By default all incoming packets go the queue with the number 0. However, you can define the queue number explicitly:

    iptables -A FORWARD -j NFQUEUE --queue-num 0
    
  7. Test IPS mode with NFQ:

    1. Modify the test rule in the /etc/suricata/rules/test.rules file to drop or reject packets:

      drop http any any -> any any (msg:"Alarm detected"; content:"Alarm";
      nocase; classtype:policy-violation; sid:1; rev:1;)
      

      or

      reject http any any -> any any (msg:"Alarm detected"; content:"Alarm";
      nocase; classtype:policy-violation; sid:1; rev:1;)
      
    2. Start Suricata to scan the queues with forwarded packets:

      suricata -c /etc/suricata/suricata.yaml -q 0 -q 1 -D
      
    3. Download the test file with the Alarm word inside on the IPS VM. For example:

      wget http://<WEB_SERVER_IP>/test
      
    4. Verify that wget successfully downloads the file.

    5. Add the following rules to iptables on IPS VM to forward incoming and outgoing

      packets:
      iptables -A INPUT -j NFQUEUE
      iptables -A OUTPUT -j NFQUEUE --queue-num 1
      
    6. Download the test file again:

      wget http://<WEB_SERVER_IP>/test
      
    7. Verify that Suricata blocks the downloading file. Example of output:

      wget http://10.20.0.2:8080/test
      --2016-05-11 13:58:36-- http://10.20.0.2:8080/test
      Connecting to 10.20.0.2:8080... connected.
      HTTP request sent, awaiting response…
      
    8. Verify that /var/log/suricata/fast.log contains the alert message showing the Suricata dropped the packet. For example:

      05/11/2016-13:58:36.889314 [Drop] [**] [1:1:1] Alarm detected [**]
      [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP}
      10.20.0.2:8080 -> 10.20.0.8:49628