NFLOG config example

Help
1

Good time of the day, community!

Could someone please share Suricata working config example for NFLOG approach?
I have the following inputs:
Version: 6.0.10
Linux Debian 12
Installed from package.

  • There is no problem with iptables/NFLOG side (I can grab the packets from nflog groups via ulogd2 daemon).
  • The “–build-info” option shows nflog support is present.
  • Looking through all the docs and googling for related issues I have impression that nflog approach is hardly used at all. So far I can’t grab the overall logic how Suricata should be configured for nflog usage: there is no separate start option fro nflog, so should it be combined with something else (aka AF_PACKET on dummy interface or similar)?
  • So, having the following related lines in suricata.yaml
    nflog:
    # netlink multicast group
    # (the same as the iptables --nflog-group param)
    # Group 0 is used by the kernel, so you can’t use it
    • group: 7
      # netlink buffer size
      buffer-size: 18432
      qthreshold: 1
      max-length: 0

Suricata is not seeing any traffic at nflog group 7 (I start it in AF_PACKET mode, but tried few other options as well having the lack of explicit nflog start option).

Any link with explanation or config example wih start options would be greatly appreciated!

Thx in advance!

2

Can you share your suricata.yaml config and how you run Suricata? Ideally also at stats.log and suricata.log.

Also keep in mind Suricata 6 is EOL and won’t be supported anymore, please upgrade to 7

3

Hi Andreas!

Thanks for reaching out!
Unfortunately I have seized that lab instance already due to lack of solution for NFLOG and used NFQUEUE option instead with marks and packet re-injection back into packet filter. So, I can’t provide currently the actual latest config.yaml used for NFLOG testing.
The NFQUEUE option works (I’m already running this in prod for a bunch of machines) but has some cons in my scenarios: I’m using packet marking across my filters a lot and obviously those already marked flows can’t be fed into Suricata since it puts its own mark when re-injecting the packet back. This breaks the original marking and filtering logic.
Long story short: if you could kindly share the working example config.yaml and the start string also specifying the Suricata version you managed to get the NFLOG operational, I’d greatly appreciate that and will bring up the lab back again to test.

Thx in advance,
Nick

4

This setup is explained at our documentation: 15. Setting up IPS/inline for Linux — Suricata 8.0.0-dev documentation

5

Hi Andreas,

The page you kindly outlined has zero references of the word “NFLOG”. And for sure, prior to creating this thread I checked the official documentation multiple times (as well as other resources available) for any operational NFLOG Suricata configuration/example. There is none actually, nor it works with different combinations of options I’ve tried to set up. This is confirmed as well by zero answers here from the community.

I might be missing something of course, hence is my question please: if you could kindly share Suricata proven working config example for NFLOG integration and the start string, that would be appreciated!

Rg,
Nick.

6

My bad I misread that part. The nflog feature is rarely used but please share your suricata.yaml and also the mentioned log files once you have set it up again so we can try to spot any issues.

7

I’ll respawn the lab instance and get back shortly.
Thanks for your help Andreas!
N.

8

Hi Andreas,

The requested log files are attached.

The sequence of steps is as follows:

  1. Suricata 7.0.8 RELEASE was build from source at Debian 12.6

$ suricata -V
This is Suricata version 7.0.8 RELEASE

$ cat /etc/*release
PRETTY_NAME=“Debian GNU/Linux 12 (bookworm)”
NAME=“Debian GNU/Linux”
VERSION_ID=“12”
VERSION=“12 (bookworm)”
VERSION_CODENAME=bookworm
ID=debian
HOME_URL=“https://www.debian.org/
SUPPORT_URL=“Debian -- User Support
BUG_REPORT_URL=“https://bugs.debian.org/

  1. Nflog support is enabled in Suricata:
    $ suricata --build-info | grep NFLOG
    NFLOG support: yes

  2. Iptables config: (I’m using nflog-group 5 for incoming and outgoing icmp packets)
    $ iptables -L -nv
    Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    0 0 NFLOG 1 – * * 0.0.0.0/0 0.0.0.0/0 nflog-group 5

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 NFLOG 1 – * * 0.0.0.0/0 0.0.0.0/0 nflog-group 5

  1. Checking (prior to Suricata start) that packets are getting into nflog-group 5 when pinging from another machine on the same LAN:
    $ tcpdump -n -i nflog:5
    tcpdump: verbose output suppressed, use -v[v]… for full protocol decode
    listening on nflog:5, link-type NFLOG (Linux netfilter log messages), snapshot length 262144 bytes

07:39:51.863233 IP 192.168.196.2 > 192.168.196.7: ICMP echo request, id 2, seq 1, length 64
07:39:51.863517 IP 192.168.196.7 > 192.168.196.2: ICMP echo reply, id 2, seq 1, length 64
07:39:51.863556 IP 192.168.196.2 > 192.168.196.7: ICMP echo request, id 2, seq 2, length 64
07:39:51.863568 IP 192.168.196.7 > 192.168.196.2: ICMP echo reply, id 2, seq 2, length 64
07:39:53.879228 IP 192.168.196.2 > 192.168.196.7: ICMP echo request, id 2, seq 3, length 64
07:39:53.879346 IP 192.168.196.7 > 192.168.196.2: ICMP echo reply, id 2, seq 3, length 64

  1. Stopping tcpdump….

  2. Starting Suricata (since there is no explicit start option for NFLOG option, I’m starting the daemon with «-q 0» option which seems to be the closest one and then I can control what I would like to feed towards Suricata):
    $ suricata -D -q 0 -c /usr/local/etc/suricata/suricata.yaml

stats.log (13.1 KB)
suricata.log (1.7 KB)
suricata.yaml (84.4 KB)
Intermediate test already showing that the construction does not work: I’m trying to start tcpdump for nflog group 5 after I started Suricata and assuming Suricata is already listening on nflog group 5 (as per suricata.yaml config).
The expected behaviour for tcpdump is to terminate with error (since two processes can’t listen the same nflog group simultaneously), but in my case tcpdump starts OK:
$ tcpdump -n -i nflog:5
tcpdump: verbose output suppressed, use -v[v]… for full protocol decode
listening on nflog:5, link-type NFLOG (Linux netfilter log messages), snapshot length 262144 bytes

This means that Suricata does not listen on nflog group 5.

Just as a proof running e.g. ulogd2 to listen to nflog group 5 and then trying to run tcpdump on the same group returns an error.

Summarizing:

  1. I’ve used the original template suricata.yaml config with the following custom changes: A) HOME_NET set to self-ip/32; B) nflog group set to 5; C) eve-log is disabled;
  2. I’ve started Suricata with «-D -q 0» options and confirmed that it does not listen expected nflog-group.
9

Hi Andreas,

Sorry to disturb.
Did you kindly have a chance to look through my previously posted input?
Any ideas for the working config to force Suricata to listen to nflog please?

Thx in advance,
Nick

10

-q starts nfqueue mode. Use --nflog for starting nflog mode.

11

Hi Victor,

You made my day! Thank you!

While the option looks obvious, I could not see it neither in man page nor in the output of “suricata --help” cli options output. Hence, did not try what was not spotted as available option.

Starting the program as follows:
“/usr/bin/suricata -D --nflog -c /etc/suricata/suricata.yaml --pidfile /run/suricata.pid”

forces Suricata to listen to the configured nflog group and treat the packets respectively.

Rg,
Nick.