I have installed suricata 4.0 in IPS mode per the docs here:
I can start it with /etc/init.d/suricata start, but as soon as i stop it with /etc/init.d/suricata stop it will drop all connections to the box and not allow further connections. I have run:
sudo iptables -A OUTPUT -j NFQUEUE & sudo iptables -A INPUT -j NFQUEUE
only after starting b/c if i run these beforehand, the same thing occurs, all connections are dropped and i can't ssh back into the box.
It will restart (with iptable rules enabled), but connections are on hold (can't type or ssh from another location) while the restart is in progress, and while it takes about 5 seconds, it does come back successfully.
This leads me to a few questions, but lets keep it at one, how can i add these firewall rules without having something listening reading NFQUEUE Since suricata will forward or drop, i assume since they don't get removed from the queue, they are never processed further.
Thanks!
:slaps forehead:
https://home.regit.org/netfilter-en/using-nfqueue-and-libnetfilter_queue/
You can add
--queue-bypass. I'll request that the documentation is updated. I'm not out of the woods, but past this issue.Best,