NFQUEUE is an iptables and ip6tables target entity that delegate
the decision on packets to a user space software like IPS.
To enable IPS mode using ``NFQ``:
Install Netfilter packages:
sudo apt-get -y install libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0
Configure Suricata with --enable-nfqueue option.
Build and install.
Configure iptables.
To scan bridged packets, add the rule:
sudo iptables -I FORWARD -j NFQUEUE
To use repeat Suricata NFQ mode, add the rule below specifying
a source chain you need:
iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE``
This rule forwards packets to NFQUEUE only if they do not have a
specified mark that can be set by Suricata after packet processing.
Warning
If you stop Suricata, the packets that come into NFQUEUE will
not be processed and, as a result, will not be passed further.
Note
On Linux with the kernel version greater or equal 3.6,
set the fail-open option to yes in suricata.yaml
to make the kernel accept the packet if Suricata is not able to keep pace.
Configure Suricata NFQ modes in the suricata.yaml configuration file:
In default NFQ mode, Suricata generates a terminal verdict:
pass or drop. A packet will not be inspected by the rest of the iptables
rules.
Suricata generates a non-terminal verdict and mark the packets that will be reinjected again at the first rule of iptables. Add the following rule to iptables:
iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE
To send a packet to another queue after an ACCEPT decision,
set mode to route and set route-queue value. Use a route
mode to scan packets with multiple network scanners on the same VM.
The example of the NFQ configuration in suricata.yaml:
nfq:
mode: accept # nfq mode: accept, repeat, route
repeat-mark: 1 # used for repeat mode to mark a packet
repeat-mask: 1 # used for repeat mode to mark a packet
route-queue: 2 # for 'route' mode
batchcount: 20 # max length of a batching verdict cache
fail-open: yes # a packet is accepted when queue is full
Start Suricata to filter packets in NFQUEUE:
suricata -c /etc/suricata/suricata.yaml -q 0 -D
Note
By default all incoming packets go the queue with the number 0.
However, you can define the queue number explicitly:
iptables -A FORWARD -j NFQUEUE --queue-num 0
Test IPS mode with NFQ:
Modify the test rule in the /etc/suricata/rules/test.rules file
to drop or reject packets:
drop http any any -> any any (msg:"Alarm detected"; content:"Alarm";
nocase; classtype:policy-violation; sid:1; rev:1;)
or
reject http any any -> any any (msg:"Alarm detected"; content:"Alarm";
nocase; classtype:policy-violation; sid:1; rev:1;)
Start Suricata to scan the queues with forwarded packets:
suricata -c /etc/suricata/suricata.yaml -q 0 -q 1 -D
Download the test file with the Alarm word inside on the IPS VM.
For example:
wget http://<WEB_SERVER_IP>/test
Verify that wget successfully downloads the file.
Add the following rules to iptables on IPS VM to forward incoming and outgoing
packets:
iptables -A INPUT -j NFQUEUE
iptables -A OUTPUT -j NFQUEUE --queue-num 1
Download the test file again:
wget http://<WEB_SERVER_IP>/test
Verify that Suricata blocks the downloading file. Example of output:
wget http://10.20.0.2:8080/test
--2016-05-11 13:58:36-- http://10.20.0.2:8080/test
Connecting to 10.20.0.2:8080... connected.
HTTP request sent, awaiting response…
Verify that /var/log/suricata/fast.log contains the
alert message showing the Suricata dropped the packet.
For example:
05/11/2016-13:58:36.889314 [Drop] [**] [1:1:1] Alarm detected [**]
[Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP}
10.20.0.2:8080 -> 10.20.0.8:49628