Good time of the day, community!
Could someone please share Suricata working config example for NFLOG approach?
I have the following inputs:
Version: 6.0.10
Linux Debian 12
Installed from package.
- There is no problem with iptables/NFLOG side (I can grab the packets from nflog groups via ulogd2 daemon).
- The “–build-info” option shows nflog support is present.
- Looking through all the docs and googling for related issues I have impression that nflog approach is hardly used at all. So far I can’t grab the overall logic how Suricata should be configured for nflog usage: there is no separate start option fro nflog, so should it be combined with something else (aka AF_PACKET on dummy interface or similar)?
- So, having the following related lines in suricata.yaml
nflog:
# netlink multicast group
# (the same as the iptables --nflog-group param)
# Group 0 is used by the kernel, so you can’t use it- group: 7
# netlink buffer size
buffer-size: 18432
qthreshold: 1
max-length: 0
- group: 7
Suricata is not seeing any traffic at nflog group 7 (I start it in AF_PACKET mode, but tried few other options as well having the lack of explicit nflog start option).
Any link with explanation or config example wih start options would be greatly appreciated!
Thx in advance!