Comments on: Compiling Suricata 0.9.0 in Ubuntu Lucid 10.04 in IPS (inline) mode http://www.inliniac.net/blog/2010/05/07/compiling-suricata-0-9-0-in-ubuntu-lucid-10-04-in-ips-inline-mode.html Everything inline. Mon, 30 Jan 2012 16:49:09 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: jackwssp http://www.inliniac.net/blog/2010/05/07/compiling-suricata-0-9-0-in-ubuntu-lucid-10-04-in-ips-inline-mode.html/comment-page-1#comment-21178 jackwssp Tue, 22 Jun 2010 18:45:26 +0000 http://www.inliniac.net/blog/?p=360#comment-21178 # /usr/bin/suricata -c /etc/suricata/suricata.yaml -D -q 0 [6660] 22/6/2010 -- 18:44:16 - (suricata.c:354) (main) -- This is Suricata version 0.9.1 [6660] 22/6/2010 -- 18:44:16 - (util-cpu.c:167) (UtilCpuPrintSummary) -- CPUs Summary: [6660] 22/6/2010 -- 18:44:16 - (util-cpu.c:169) (UtilCpuPrintSummary) -- CPUs online: 2 [6660] 22/6/2010 -- 18:44:16 - (util-cpu.c:171) (UtilCpuPrintSummary) -- CPUs configured 2 # /usr/bin/suricata -c /etc/suricata/suricata.yaml -D -q 0
[6660] 22/6/2010 — 18:44:16 – (suricata.c:354) (main) — This is Suricata version 0.9.1
[6660] 22/6/2010 — 18:44:16 – (util-cpu.c:167) (UtilCpuPrintSummary) — CPUs Summary:
[6660] 22/6/2010 — 18:44:16 – (util-cpu.c:169) (UtilCpuPrintSummary) — CPUs online: 2
[6660] 22/6/2010 — 18:44:16 – (util-cpu.c:171) (UtilCpuPrintSummary) — CPUs configured 2

]]> By: Victor Julien http://www.inliniac.net/blog/2010/05/07/compiling-suricata-0-9-0-in-ubuntu-lucid-10-04-in-ips-inline-mode.html/comment-page-1#comment-21150 Victor Julien Mon, 21 Jun 2010 07:18:21 +0000 http://www.inliniac.net/blog/?p=360#comment-21150 Does Suricata report an error? Start without the -D option to see what it reports. Does Suricata report an error? Start without the -D option to see what it reports.

]]> By: jackwssp http://www.inliniac.net/blog/2010/05/07/compiling-suricata-0-9-0-in-ubuntu-lucid-10-04-in-ips-inline-mode.html/comment-page-1#comment-21111 jackwssp Sat, 19 Jun 2010 09:53:25 +0000 http://www.inliniac.net/blog/?p=360#comment-21111 Hey, bro, where is my comment? Hey, bro, where is my comment?

]]> By: jackwssp http://www.inliniac.net/blog/2010/05/07/compiling-suricata-0-9-0-in-ubuntu-lucid-10-04-in-ips-inline-mode.html/comment-page-1#comment-21102 jackwssp Fri, 18 Jun 2010 19:09:37 +0000 http://www.inliniac.net/blog/?p=360#comment-21102 Suricata 0.9.2rc3, compiled like this: CFLAGS="-O3 -march=i486 -mtune=i686" \ ./configure --prefix=/usr --enable-unified-native-timeval --enable-nfqueue --build=i486-Slackware-linux "$@" make make install DESTDIR=$TMP try to configure iptables by this way: iptables -t mangle -A PREROUTING -j NFQUEUE --queue-num 0 iptables -t mangle -A FORWARD -j NFQUEUE --queue-num 0 iptables -t mangle -A OUTPUT -j NFQUEUE --queue-num 0 do not work :( Suricata 0.9.2rc3, compiled like this:

CFLAGS=”-O3 -march=i486 -mtune=i686″ \
./configure –prefix=/usr –enable-unified-native-timeval –enable-nfqueue –build=i486-Slackware-linux “$@”
make
make install DESTDIR=$TMP

try to configure iptables by this way:

iptables -t mangle -A PREROUTING -j NFQUEUE –queue-num 0
iptables -t mangle -A FORWARD -j NFQUEUE –queue-num 0
iptables -t mangle -A OUTPUT -j NFQUEUE –queue-num 0

do not work :(

]]> By: jackwssp http://www.inliniac.net/blog/2010/05/07/compiling-suricata-0-9-0-in-ubuntu-lucid-10-04-in-ips-inline-mode.html/comment-page-1#comment-21101 jackwssp Fri, 18 Jun 2010 18:44:05 +0000 http://www.inliniac.net/blog/?p=360#comment-21101 Look, i try this, /usr/bin/suricata -c /etc/suricata/suricata.yaml -D -q 0 with this iptables -t raw -A PREROUTING -j NFQUEUE --queue-num 0 iptables -t raw -A OUTPUT -j NFQUEUE --queue-num 0 and it wantnt work, but snort works well. For example, this rule doesnt work: local.rules: drop tcp any any any any (msg:"DROP ALL"; content:"google.com"; sid:3000010;) Look, i try this,

/usr/bin/suricata -c /etc/suricata/suricata.yaml -D -q 0

with this

iptables -t raw -A PREROUTING -j NFQUEUE –queue-num 0
iptables -t raw -A OUTPUT -j NFQUEUE –queue-num 0

and it wantnt work, but snort works well.

For example, this rule doesnt work:
local.rules:
drop tcp any any any any (msg:”DROP ALL”; content:”google.com”; sid:3000010;)

]]>