Suricata-IDS and file server or storage

Hello,
I have enabled IP forwarding and I ran the following iptables rules:

$ Sudo iptables -I FORWARD -i CLIENT -o SERVER -j NFQUEUE
$ sudo iptables -I FORWARD -i SERVER -o CLIENT -j NFQUEUE
$ sudo iptables-save

They have been applied:

# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -i SERVER -o CLIENT -j NFQUEUE --queue-num 0
-A FORWARD -i CLIENT -o SERVER -j NFQUEUE --queue-num 0

Then, I ran the Suricata-IDS:

$ sudo suricata -c /etc/suricata/suricata.yaml -q 0

On the client machine, I ran Nmap and scanned the server. The Suricata-IDS reports are as follows:

# cat /var/log/suricata/suricata.log 
[14665 - Suricata-Main] 2023-09-30 02:58:30 Notice: suricata: This is Suricata version 7.0.0 RELEASE running in SYSTEM mode
[14665 - Suricata-Main] 2023-09-30 02:58:30 Info: cpu: CPUs/cores online: 2
[14665 - Suricata-Main] 2023-09-30 02:58:30 Info: exception-policy: master exception-policy set to: auto
[14665 - Suricata-Main] 2023-09-30 02:58:30 Info: nfq: NFQ running in standard ACCEPT/DROP mode
[14665 - Suricata-Main] 2023-09-30 02:58:30 Info: conf: Running in live mode, activating unix socket
[14665 - Suricata-Main] 2023-09-30 02:58:30 Info: logopenfile: fast output device (regular) initialized: fast.log
[14665 - Suricata-Main] 2023-09-30 02:58:30 Info: logopenfile: eve-log output device (regular) initialized: eve.json
[14665 - Suricata-Main] 2023-09-30 02:58:30 Info: logopenfile: stats output device (regular) initialized: stats.log
[14665 - Suricata-Main] 2023-09-30 02:58:32 Info: detect: 1 rule files processed. 35168 rules successfully loaded, 0 rules failed
[14665 - Suricata-Main] 2023-09-30 02:58:32 Info: threshold-config: Threshold config parsed: 0 rule(s) found
[14665 - Suricata-Main] 2023-09-30 02:58:32 Info: detect: 35171 signatures processed. 1248 are IP-only rules, 5282 are inspecting packet payload, 28429 inspect application layer, 108 are decoder event only
[14666 - RX-NFQ#0] 2023-09-30 02:58:36 Info: nfq: binding this thread 0 to queue '0'
[14666 - RX-NFQ#0] 2023-09-30 02:58:36 Info: nfq: setting queue length to 4096
[14666 - RX-NFQ#0] 2023-09-30 02:58:36 Info: nfq: setting nfnl bufsize to 6144000
[14665 - Suricata-Main] 2023-09-30 02:58:36 Info: unix-manager: unix socket '/var/run/suricata/suricata-command.socket'
[14665 - Suricata-Main] 2023-09-30 02:58:36 Notice: threads: Threads created -> RX: 1 W: 2 TX: 1 FM: 1 FR: 1   Engine started.
[14665 - Suricata-Main] 2023-09-30 03:01:23 Notice: suricata: Signal Received.  Stopping engine.
[14665 - Suricata-Main] 2023-09-30 03:01:24 Info: suricata: time elapsed 168.442s
[14666 - RX-NFQ#0] 2023-09-30 03:01:25 Notice: nfq: (RX-NFQ#0) Treated: Pkts 3140, Bytes 154036, Errors 0
[14666 - RX-NFQ#0] 2023-09-30 03:01:25 Notice: nfq: (RX-NFQ#0) Verdict: Accepted 3119, Dropped 21, Replaced 0
[14665 - Suricata-Main] 2023-09-30 03:01:25 Info: counters: Alerts: 29

And:

# cat /var/log/suricata/fast.log 
09/30/2023-02:59:05.812130  [**] [1:2260000:1] SURICATA Applayer Mismatch protocol both directions [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.1:135 -> 192.168.1.1:1225
09/30/2023-02:59:53.416463  [**] [1:2260000:1] SURICATA Applayer Mismatch protocol both directions [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.1:49155 -> 192.168.1.1:1294
09/30/2023-02:59:53.418573  [**] [1:2260000:1] SURICATA Applayer Mismatch protocol both directions [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.1:49156 -> 192.168.1.1:1295
09/30/2023-02:59:53.419315  [**] [1:2260000:1] SURICATA Applayer Mismatch protocol both directions [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.1:49154 -> 192.168.1.1:1296
09/30/2023-02:59:53.419342  [**] [1:2260000:1] SURICATA Applayer Mismatch protocol both directions [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.1:49157 -> 192.168.1.1:1297
09/30/2023-02:59:58.394434  [**] [1:2260000:1] SURICATA Applayer Mismatch protocol both directions [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.1:49152 -> 192.168.1.1:1299
09/30/2023-02:59:58.441769  [**] [1:2260000:1] SURICATA Applayer Mismatch protocol both directions [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.1:49153 -> 192.168.1.1:1300
09/30/2023-02:59:59.127572  [**] [1:2200025:2] SURICATA ICMPv4 unknown code [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {ICMP} 192.168.1.1:8 -> 172.16.1.1:9
09/30/2023-03:00:02.584047  [**] [1:2225005:1] SURICATA SMB malformed request dialects [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.1.1:1303 -> 172.16.1.1:445
09/30/2023-03:00:03.771320  [**] [1:2225005:1] SURICATA SMB malformed request dialects [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.1.1:1304 -> 172.16.1.1:445
09/30/2023-03:00:06.146267  [**] [1:2225005:1] SURICATA SMB malformed request dialects [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.1.1:1306 -> 172.16.1.1:445
09/30/2023-03:00:07.833342  [**] [1:2225005:1] SURICATA SMB malformed request dialects [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.1.1:1307 -> 172.16.1.1:445
09/30/2023-03:00:09.521142  [**] [1:2225005:1] SURICATA SMB malformed request dialects [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.1.1:1308 -> 172.16.1.1:445
09/30/2023-03:00:11.208586  [**] [1:2225005:1] SURICATA SMB malformed request dialects [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.1.1:1309 -> 172.16.1.1:445
09/30/2023-03:00:12.896441  [**] [1:2225005:1] SURICATA SMB malformed request dialects [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.1.1:1310 -> 172.16.1.1:445
09/30/2023-03:00:14.583292  [**] [1:2225005:1] SURICATA SMB malformed request dialects [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.1.1:1311 -> 172.16.1.1:445
09/30/2023-03:00:16.271123  [**] [1:2225005:1] SURICATA SMB malformed request dialects [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.1.1:1313 -> 172.16.1.1:445
09/30/2023-03:00:17.958738  [**] [1:2225005:1] SURICATA SMB malformed request dialects [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.1.1:1314 -> 172.16.1.1:445
09/30/2023-03:00:19.647750  [**] [1:2225005:1] SURICATA SMB malformed request dialects [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.1.1:1315 -> 172.16.1.1:445
09/30/2023-03:00:21.333273  [**] [1:2225005:1] SURICATA SMB malformed request dialects [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.1.1:1316 -> 172.16.1.1:445
09/30/2023-03:00:23.023339  [**] [1:2225005:1] SURICATA SMB malformed request dialects [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.1.1:1317 -> 172.16.1.1:445
09/30/2023-03:00:24.708309  [**] [1:2225005:1] SURICATA SMB malformed request dialects [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.1.1:1318 -> 172.16.1.1:445
09/30/2023-03:00:26.395621  [**] [1:2225005:1] SURICATA SMB malformed request dialects [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.1.1:1319 -> 172.16.1.1:445
09/30/2023-03:00:28.083671  [**] [1:2225005:1] SURICATA SMB malformed request dialects [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.1.1:1320 -> 172.16.1.1:445
09/30/2023-03:00:29.770981  [**] [1:2225005:1] SURICATA SMB malformed request dialects [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.1.1:1321 -> 172.16.1.1:445
09/30/2023-03:00:31.333681  [**] [1:2225005:1] SURICATA SMB malformed request dialects [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.1.1:1322 -> 172.16.1.1:445
09/30/2023-03:00:33.021318  [**] [1:2225005:1] SURICATA SMB malformed request dialects [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.1.1:1323 -> 172.16.1.1:445
09/30/2023-03:00:34.708461  [**] [1:2225005:1] SURICATA SMB malformed request dialects [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.1.1:1324 -> 172.16.1.1:445
09/30/2023-03:00:36.270740  [**] [1:2225005:1] SURICATA SMB malformed request dialects [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.1.1:1325 -> 172.16.1.1:445

Nmap has successfully detected the host:

Nmap927×755 31.4 KB

Does suricata-IDS work?

Hello,
1- Have I configured Suricata-IDS in NFQ IPS mode correctly?

2- Should IP forwarding be enabled on Suricata-IDS server in NFQ IPS mode?

Thank you.

Yes it should. And also test for basic network functionality between client and server before testing with nmap scans.

Hello,
Thanks again.
The network is working properly. I wrote a routing table for the client and the server and both of them see each other through Suricata-IDS server.

1- What is wrong with my Suricata-IDS configuration?

2- After writing the iptables rules, the client and the server cannot ping each other, but communicate with each other. How do I enable ping?

3- Should Nmap detect the target OS as easily?

@samiux, Any idea about it? I still don’t know if I configured Suricata-IDS in NFQ IPS mode correctly!

Hello,
How can I make sure Suricata-IDS is working?

Thanks.

Check the suricata.log to check if it is loading properly and if there is any Error or Warning message.

You may required to write your own Nmap rules. You can try Wireshark as tool to write Nmap rules.

Hello,
Thanks again.
I want to know if I have set Suricata-IDS in NFQ IPS mode correctly and if it works or not. Please take a look at https://forum.suricata.io/t/suricata-ids-and-file-server-or-storage/3814/42.

Hello,
The problem was due to the use of virtual environment.
Problem solved.

Thank you so much.