Capture packets from nflog in suricata
After some months I've finished to work on a new feature introduced in Suricata.
Now it's possible to capture packets from nflog, a userspace library providing interface to packets that have been logged by the packet filter.
This post is going to explain how to enable nflog support and use it.
Some packages needs to be on your system, you must install netfilter_log and nfnetlink libraries, on debian you can do:
apt-get install libnetfilter_log libnfnetlink
Otherwise it's possible to get the source code from the main site Netfilter.org and build them.
Suricata can be built with nflog support, to do that, you have to pass "--enable-nflog" option to configure script:
sh autogen.sh ./configure --enable-nflog make && make install
Take a look at suricata.yaml configuration file, by default suricata can capture packets from nflog group 2.
nflog: # netlink multicast group # (the same as the iptables --nflog-group param) # Group 0 is used by the kernel, so you can't use it - group: 2 # netlink buffer size buffer-size: 18432 # put default value here - group: default # set number of packet to queue inside kernel qthreshold: 1 # set the delay before flushing packet in the queue inside kernel qtimeout: 100 # netlink max buffer size max-size: 20000
You can add more groups, obviously.
Don't forget to add the iptables rule before
iptables -A INPUT -j NFLOG --nflog-group 2
Let's start suricata now:
suricata -c /etc/suricata/suricata.yaml --nflog -v
If everything is ok, you should read:
 3/7/2014 -- 09:07:35 - (runmode-nflog.c:192) <Info> (RunModeIdsNflogAutoFp) -- RunModeIdsNflogAutoFp initialised
When terminating it, packets stats will be printed:
 3/7/2014 -- 09:12:47 - (source-nflog.c:483) <Notice> (ReceiveNFLOGThreadExitStats) -- (RecvNFLOG21) Pkts 31, Bytes 1936
Actually it's not possible to start suricata both in ids and ips mode, so if you capture packets from nflog you can't capture them from nfq.
Will be possible to use suricata in ids/ips mixed mode soon,
I promise. :)