From a85924cc2534c65eb10b800375ade8a5bb311dc1 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue, 10 Sep 2024 23:45:53 +0200
Subject: [PATCH] suricata: Collect metrics on scanned and bypassed packets

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/collectd/collectd.conf   | 4 ++++
 src/initscripts/system/suricata | 6 ++++--
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/config/collectd/collectd.conf b/config/collectd/collectd.conf
index 27e1fe984..fd548b6cf 100644
--- a/config/collectd/collectd.conf
+++ b/config/collectd/collectd.conf
@@ -52,6 +52,10 @@ include "/etc/collectd.precache"
 	Chain filter SPOOFED_MARTIAN DROP_SPOOFED_MARTIAN
 	Chain filter HOSTILE_DROP_IN DROP_HOSTILE
 	Chain filter HOSTILE_DROP_OUT DROP_HOSTILE
+
+	# IPS
+	Chain mangle IPS BYPASSED
+	Chain mangle IPS SCANNED
 </Plugin>
 
 #<Plugin logfile>
diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index 2890fa64b..150984d93 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -78,7 +78,9 @@ generate_fw_rules() {
 	flush_fw_chain
 
 	# Don't process packets where the IPS has requested to bypass the stream
-	iptables -w -t mangle -A IPS -m mark --mark "$(( IPS_BYPASS_MARK ))/$(( IPS_BYPASS_MASK ))" -j RETURN
+	iptables -w -t mangle -A IPS \
+		-m comment --comment "BYPASSED" \
+		-m mark --mark "$(( IPS_BYPASS_MARK ))/$(( IPS_BYPASS_MASK ))" -j RETURN
 
 	# If suricata decided to bypass a stream, we will store the mark in the connection tracking table
 	iptables -w -t mangle -A IPS \
@@ -126,7 +128,7 @@ generate_fw_rules() {
 	fi
 
 	# Send packets to suricata
-	iptables -w -t mangle -A IPS -j NFQUEUE "${NFQ_OPTIONS[@]}"
+	iptables -w -t mangle -A IPS -m comment --comment "SCANNED" -j NFQUEUE "${NFQ_OPTIONS[@]}"
 
 	return 0
 }
-- 
2.39.5