Hi, I’m trying to follow Setting up IPS in Linux and I have a question, well maybe more. I want Suricata to use NFTables and I’m trying to follow section NFTables when I try the commands I get this error: bash: syntax error near unexpected token
}'So how do I fix that? The example given shows:
nft> add chain filter IPS { type filter hook forward priority 10;}
and
nft> add rule filter IPS queue neither of which works? I've even tried using this format sudo nft add chain inet Suricata { type filter hook forward priority 10;} sudo nft add rule inet Suricata queue (My main table is inet) and NFTables errors on the word "queue" btw in both commands. Also I read the help question about "discussion about Suricata" and tried running the command
grep ‘event_type":"alert’ /var/log/suricata/eve.json` and got no results from the command as user and sudo, with no output from either.
Also in the NFQUEUE it doesn’t play nice.
and for 13.2.1. AF_PACKET IPS mode could I use a inactive NIC, meaning I have a wireless card and a wired card, the wireless isn’t being used at this time and it appears I need 2 cards (interfaces)?
And last (hopefully) question, is there a way to have suricata’s log be added to a Logwatch report?
What LInux distribution are you using?
I’m on Debian testing aka Bookworm
If you run the nftables commands, depending on your shell you need to quote them, so try to put them in brackets.
Okay I found the problem, because I’m using a BASH Shell I need to encase the commands in single quotes ’ ’ as per this page: NFtables Wiki Which states:
Important: nft re-uses special characters, such as curly braces and the semicolon. If you are running these commands from a shell such as bash, all the special characters need to be escaped. The simplest way to prevent the shell from attempting to parse the nft syntax is to quote everything within single quotes. Alternatively, you can run the command
% nft -i
and run nft in interactive mode.
I think I have it right anyway.
Okay one down two to go:
13.2.1. AF_PACKET IPS mode could I use a inactive NIC, meaning I have a wireless card and a wired card, the wireless isn’t being used at this time and it appears I need 2 cards (interfaces)?
My choices are :
lo (localhost)
enp1s0 (wired connection )
wlp2s0 (Wireless connection, but shut off)
tun0 (VPN Connection)
So could I use wlp2s0 and enp1s0 for the layer 2 IPS?
And last (hopefully) question, is there a way to have suricata’s log be added to a Logwatch report?
This depends on the setup you want to actually achieve. A wireless interface might not be the ideal choice.
Logwatch should be possible, but might need custom scripts in Logwatch I guess. You can look into the different logging options on Suricata side what would work for you.
Well I’m trying to configure IPS for my machine. From the directions on the documents page it appears as though you’d need two interfaces for IPS, the other option is TAP and I’m not trying to bridge connections. I just want to get warned if I’m being attacked.
So for the logging options I’m assuming that is in the YAML file?
I think I have it set correctly (Suricata starts at least)
Here’s what I have in the yaml file:
Stats.log contains data from various counters of the Suricata engine.
- stats:
enabled: yes
filename: stats.log
append: yes # append to file (yes) or overwrite it (no)
totals: yes # stats for all threads merged together
threads: no # per thread stats
#null-values: yes # print counters that have value 0. Default: no
a line based alerts log similar to fast.log into syslog
The other option would be to use NFQUEUE, this depends on where you want to place the IPS in your network. So where would you place it in your setup?
For the logs you should check the EVE output options, see 15.1. EVE — Suricata 6.0.9 documentation
Well I only have the one machine (Currently) so the tun0 (VPN) & enp1s0 (Wired) connections are the ones I would like to watch. I did run the NFQUEUE thing but I wasn’t sure (from reading the guide) if I needed to create the rule,chain, and table before I ran the command for NFQUEUE or if I could just do the NFQUEUE and not need those set first.
Also, while I’m thinking about it, if I need to enable the wireless connection (wlp2s0) for anything will it be picked up automatically?
For the logging options are you recommending I use syslog? Debian (like most distros now) uses systemctl with journalctl so I’m guessing it’s that one?
Thanks for the help so far.
Suricata is not that often used on endpoints, so a lot of documentation and guides are for IDS mode on mirror/tap ports or IPS mode for Gateways in the network.
If you run it on an endpoint, I would go with the NFQUEUE setup as described in 13. Setting up IPS/inline for Linux — Suricata 6.0.9 documentation and you set the netfilter rules as it fits your setup. You just need to make sure that you have the NFQUEUE jump at those places where you want to have it. On an endpoint INPUT/OUPUT are more relevant and FORWARD not that much, but depends on your configuration.
No it won’t be picked up automatically, you would have to use a script for that or a service file to manage this. Suricata normally expects the interface to be there when you start Suricata.
There are different parts of logging, the pure suricata.log can be integrated into what ever you like and your distro uses for general logging.
For the alerts and events in EVE it depends on how you want to manage those and where you want to look into those details. This also depends on your goals/requirements.
Well, I’m kind of unsure how I’d manage those, however the goal is if some alert gets fired (aka something is trying to get in that isn’t supposed to ) I would like them to show in the Log report I receive from Log watch (unless it’s a DDOS attack or something urgent that shouldn’t happen on a single user machine).
I’m assuming that all logs for Suri are in /var/log/suricata/ and I would just need to point logwatch to the Suri “service” or name each of the logs in a Suri.conf file for Logwatch (it looks pretty straight forward), I just need to be able to see if there is output so I know I have it correctly set up.
Thanks for your advice/patience with me so far.
Ideally logwatch already has a routine to check for new files or updates on files. But the files should be there right after the start, but might be empty for sometime until the logs are filled.