Nftables

DOM and SSH honeypot DOM is a solution comparable to fail2ban but it uses Suricata SSH log instead of SSH server logs. The goal of DOM is to redirect the attacker based on its SSH client version. This allows to send attacker to a honeypot like pshitt directly after the first attempt. And this can be done for a whole network as Suricata does not need to be on the targeted box. Using DOM with nftables I’ve pushed a basic nftables support to DOM. Instead of adding element via ipset it uses a nftables set. ...

Iptables and suricata as IPS Building a Suricata ruleset with iptables has always been a complicated task when trying to combined the rules that are necessary for the IPS with the firewall rules. Suricata has always used Netfilter advanced features allowing some more or less tricky methods to be used. For the one not familiar with IPS using Netfilter, here’s a few starting points: IPS receives the packet coming from kernel via rules using the NFQUEUE target The IPS must received all packets of a given flow to be able to handle detection cleanly The NFQUEUE target is a terminal target: when the IPS verdicts a packet, it is or accepted (and leave current chain) ...

Linux 3.13 is out Linux 3.13 is out bringing among other thing the first official release of nftables. nftables is the project that aims to replace the existing {ip,ip6,arp,eb}tables framework aka iptables. nftables version in Linux 3.13 is not yet complete. Some important features are missing and will be introduced in the following Linux versions. It is already usable in most cases but a complete support (read nftables at a better level than iptables) should be available in Linux 3.15. ...

Introduction This is a new kernel packet filtering framework. The only change is on iptables. Netfilter hooks, connection tracking system, NAT are unchanged. It provides a backward compatibility. nftables was released in March 2009 by Patrick Mchardy. It has been revived in the precedent months by Pablo Neira Ayuso and other hackers. Architecture It uses a pseudo-state machine in kernel-space which is similar to BPF: 4 registers: 4 general purpose (128 bits long each) + 1 verdict provides instruction set (which can be extended) Here’s a example of existing instructions: ...