Redis output in IPS mode

fil104 · March 17, 2024, 4:38am

I am developing a Suricata management system and using Redis for eve.json output. Everything works perfectly in IDS mode. However, when switching to IPS mode, a problem arises: Suricata hangs. It seems like writing to Redis is blocking the traffic. Commands for iptables

iptables -I INPUT -i lo -j ACCEPT
iptables -I OUTPUT -o lo -j ACCEPT

do not improve the situation. When using regular eve.json output, everything seems to work fine. What could be the issue?

vjulien · March 18, 2024, 7:56am

Can you check what the connection to redis looks like in conntrack?

fil104 · March 19, 2024, 7:29am

It seems I solved this problem.
I used wrong iptables rules:
iptables -I INPUT -i lo -j ACCEPT
iptables -I OUTPUT -o lo -j ACCEPT
iptables -I INPUT -j NFQUEUE --queue-bypass
iptables -I OUTPUT -j NFQUEUE --queue-bypass

I changed them to
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -j NFQUEUE --queue-bypass
iptables -A OUTPUT -j NFQUEUE --queue-bypass
and all work now.
Thank you for wanting to help.

Topic		Replies	Views
Suricata 6.0.9 on Ubuntu 22.04 : How to enable the Redis output of SURICATA Help suricata	8	1787	January 6, 2023
Suricata not rejecting traffic when nothing is reading named pipe for eve logs Help	2	599	June 19, 2020
Suricata Network monitoring Help suricata	1	477	October 13, 2022
After installation, Suricata writes only statistics to eve Help	5	500	December 2, 2021
What to use for logs at high rate 10Gb/s or 100G/s for Eve logs Help	10	1138	February 27, 2023

Redis output in IPS mode

Related Topics