Capture packets from nflog in suricata

After some months I've finished to work on a new feature introduced in Suricata.

Now it's possible to capture packets from nflog, a userspace library providing interface to packets that have been logged by the packet filter.

This post is going to explain how to enable nflog support and use it.

Requirements

Some packages needs to be on your system, you must install netfilter_log and nfnetlink libraries, on debian you can do:

apt-get install libnetfilter_log libnfnetlink

Otherwise it's possible to get the source code from the main site Netfilter.org and build them.

Building it

Suricata can be built with nflog support, to do that, you have to pass "--enable-nflog" option to configure script:

sh autogen.sh
./configure --enable-nflog
make && make install

Take a look at suricata.yaml configuration file, by default suricata can capture packets from nflog group 2.

 nflog:
     # netlink multicast group
     # (the same as the iptables --nflog-group param)
     # Group 0 is used by the kernel, so you can't use it
   - group: 2
     # netlink buffer size
     buffer-size: 18432
     # put default value here
   - group: default
     # set number of packet to queue inside kernel
     qthreshold: 1
     # set the delay before flushing packet in the queue                                     inside kernel
     qtimeout: 100
     # netlink max buffer size
     max-size: 20000

You can add more groups, obviously.

Don't forget to add the iptables rule before

iptables -A INPUT -j NFLOG --nflog-group 2

Let's start suricata now:

suricata -c /etc/suricata/suricata.yaml --nflog -v

If everything is ok, you should read:

   [2077] 3/7/2014 -- 09:07:35 - (runmode-nflog.c:192) <Info> (RunModeIdsNflogAutoFp) -- RunModeIdsNflogAutoFp initialised

When terminating it, packets stats will be printed:

[2114] 3/7/2014 -- 09:12:47 - (source-nflog.c:483) <Notice> (ReceiveNFLOGThreadExitStats) -- (RecvNFLOG21) Pkts 31, Bytes 1936

Conclusion

Actually it's not possible to start suricata both in ids and ips mode, so if you capture packets from nflog you can't capture them from nfq.
Will be possible to use suricata in ids/ips mixed mode soon,
I promise. :)

comments powered by Disqus