[Oisf-devel] Suricata blocking web server

Jinsheng Chen smalldust.chen at gmail.com
Tue Feb 14 16:26:31 UTC 2017 

Hi,

I am not sure if I should post my question here. If not, please let me know
where to post... thanks.

I have a web server (CentOS 6) and also have suricata running on it in IPS
mode:

# suricata -D -q 0

I have configured the rules with oinkmaster and have replaced all "ALERT"
to "DROP".
And I have configured iptables so that all traffic goes to suricata:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
    8   464 IPS        all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain IPS (9 references)
 pkts bytes target     prot opt in     out     source
destination
    8   464 NFQUEUE    all  --  *      *       0.0.0.0/0
0.0.0.0/0           NFQUEUE num 0


I have my apache / php web application running, which communicates with a
mongodb on a remote server.
Then there happened the problem: clients can access the web server at the
beginning; but after several http requests, the browser stops to respond
and ends in timeout.

eve.json shows something like this:

{
"timestamp": "2017-02-15T00:01:53.000341+0900",
"flow_id": 2133944226238351,
"event_type": "flow",
"src_ip": "CLIENT IP ADDRESS",
"src_port": 50951,
"dest_ip": "MY WEB SERVER IP ADDRESS",
"dest_port": 80,
"proto": "TCP",
"flow": {
"pkts_toserver": 5,
"pkts_toclient": 0,
"bytes_toserver": 224,
"bytes_toclient": 0,
"start": "2017-02-15T00:00:35.151439+0900",
"end": "2017-02-15T00:00:51.109046+0900",
"age": 16,
"state": "new",
"reason": "timeout"
},
"tcp": {
"tcp_flags": "13",
"tcp_flags_ts": "13",
"tcp_flags_tc": "00",
"syn": true,
"fin": true,
"ack": true,
"state": "syn_sent"
}
}

Although I have enabled the drop log, there is nothing in the drop log.
However when looking at /var/log/suricata/stats.log, there was
"ips.blocked".

ips.accepted                               | Total                     |
1326
ips.blocked                                | Total                     | 189

I thought "ips.blocked" = "dropped", but it was not...

Have anyone experienced this and could point out what I should check?
Thank you!

Regards,
Jins
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20170215/c29e239d/attachment.html>

More information about the Oisf-devel mailing list