<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div></div><div>Do your signatures have alert or drop set for the action?</div><div><br>On Jul 8, 2018, at 7:55 PM, <a href="mailto:gatodiablo@protonmail.com">gatodiablo@protonmail.com</a> wrote:<br><br></div><blockquote type="cite"><div>I want to use suricata in IPS mode and have followed the instructions on the readthedocs site. Suricata is running on a gateway firewall device. I am accessing test exploits on this page: <a href="https://www.wicar.org/test-malware.html">https://www.wicar.org/test-malware.html</a><br>The fast.log file shows alerts indicating the malware was detected, however it is not blocked.<br><br>I have checked suricata --build-info and nfq is included.<br><br>Suricata is started as a service using these arguments<br><br>sudo suricata -D -c /etc/suricata/suricata.yaml -q 0 --pidfile /var/run/suricata.pid<br><br>Iptables -S<br><br>iptables -P INPUT DROP<br>iptables -P FORWARD DROP<br> iptables -P OUTPUT ACCEPT<br>iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT<br>iptables -A FORWARD -i eth0 -o eth1 -j NFQUEUE --queue-num 0<br> iptables -A FORWARD -i eth1 -o eth0 -j NFQUEUE --queue-num 0<br>iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT<br>iptables -A -i eth1 -o eth0 -j ACCEPT<br><br>Nfq section from suricata.yaml<br><br>nfq:<br> mode: accept<br># repeat_mark: 1 <br># repeat_mask: 1 <br># bypass-mark: 1<br># bypass-mask: 1<br># route-queue: 2<br># batchcount: 20<br># fail-open: yes<br><br>Sent from ProtonMail mobile<br><br><br></div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a></span><br><span>Site: <a href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a></span><br><span>List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a></span><br><span></span><br><span>Conference: <a href="https://suricon.net">https://suricon.net</a></span><br><span>Trainings: <a href="https://suricata-ids.org/training/">https://suricata-ids.org/training/</a></span></div></blockquote><BR />
<BR />
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to which they
are addressed. If you have received this email in error please notify Netsecuris management at mgmt@netsecuris.com. Please note that any views or opinions presented in
this email are solely those of the author and do not necessarily
represent those of Netsecuris Inc. The integrity and
security of this message cannot be guaranteed on the Internet
<BR />
</body></html>