webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-28 11:43:25 +02:00
Code Issues Packages Projects Releases Wiki Activity

suricata: Collect metrics on scanned and bypassed packets

Browse Source 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This commit is contained in:
Michael Tremer
2024-09-10 23:45:53 +02:00
parent 8b73307b15
commit a85924cc25
2 changed files with 8 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
config/collectd/collectd.conf
View File

@@ -52,6 +52,10 @@ include "/etc/collectd.precache"
Chain filter SPOOFED_MARTIAN DROP_SPOOFED_MARTIAN Chain filter SPOOFED_MARTIAN DROP_SPOOFED_MARTIAN
Chain filter HOSTILE_DROP_IN DROP_HOSTILE Chain filter HOSTILE_DROP_IN DROP_HOSTILE
Chain filter HOSTILE_DROP_OUT DROP_HOSTILE Chain filter HOSTILE_DROP_OUT DROP_HOSTILE
# IPS
Chain mangle IPS BYPASSED
Chain mangle IPS SCANNED
</Plugin> </Plugin>
#<Plugin logfile> #<Plugin logfile>

6
src/initscripts/system/suricata
View File

@@ -78,7 +78,9 @@ generate_fw_rules() {
flush_fw_chain flush_fw_chain
# Don't process packets where the IPS has requested to bypass the stream # Don't process packets where the IPS has requested to bypass the stream
iptables -w -t mangle -A IPS -m mark --mark "$(( IPS_BYPASS_MARK ))/$(( IPS_BYPASS_MASK ))" -j RETURN iptables -w -t mangle -A IPS \
-m comment --comment "BYPASSED" \
-m mark --mark "$(( IPS_BYPASS_MARK ))/$(( IPS_BYPASS_MASK ))" -j RETURN
# If suricata decided to bypass a stream, we will store the mark in the connection tracking table # If suricata decided to bypass a stream, we will store the mark in the connection tracking table
iptables -w -t mangle -A IPS \ iptables -w -t mangle -A IPS \
@@ -126,7 +128,7 @@ generate_fw_rules() {
fi fi
# Send packets to suricata # Send packets to suricata
iptables -w -t mangle -A IPS -j NFQUEUE "${NFQ_OPTIONS[@]}" iptables -w -t mangle -A IPS -m comment --comment "SCANNED" -j NFQUEUE "${NFQ_OPTIONS[@]}"
return 0 return 0
} }