[Oisf-devel] Suricata blocking web server
Jinsheng Chen
smalldust.chen at gmail.com
Tue Feb 14 16:26:31 UTC 2017
Hi,
I am not sure if I should post my question here. If not, please let me know
where to post... thanks.
I have a web server (CentOS 6) and also have suricata running on it in IPS
mode:
# suricata -D -q 0
I have configured the rules with oinkmaster and have replaced all "ALERT"
to "DROP".
And I have configured iptables so that all traffic goes to suricata:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
8 464 IPS all -- * * 0.0.0.0/0
0.0.0.0/0
Chain IPS (9 references)
pkts bytes target prot opt in out source
destination
8 464 NFQUEUE all -- * * 0.0.0.0/0
0.0.0.0/0 NFQUEUE num 0
I have my apache / php web application running, which communicates with a
mongodb on a remote server.
Then there happened the problem: clients can access the web server at the
beginning; but after several http requests, the browser stops to respond
and ends in timeout.
eve.json shows something like this:
{
"timestamp": "2017-02-15T00:01:53.000341+0900",
"flow_id": 2133944226238351,
"event_type": "flow",
"src_ip": "CLIENT IP ADDRESS",
"src_port": 50951,
"dest_ip": "MY WEB SERVER IP ADDRESS",
"dest_port": 80,
"proto": "TCP",
"flow": {
"pkts_toserver": 5,
"pkts_toclient": 0,
"bytes_toserver": 224,
"bytes_toclient": 0,
"start": "2017-02-15T00:00:35.151439+0900",
"end": "2017-02-15T00:00:51.109046+0900",
"age": 16,
"state": "new",
"reason": "timeout"
},
"tcp": {
"tcp_flags": "13",
"tcp_flags_ts": "13",
"tcp_flags_tc": "00",
"syn": true,
"fin": true,
"ack": true,
"state": "syn_sent"
}
}
Although I have enabled the drop log, there is nothing in the drop log.
However when looking at /var/log/suricata/stats.log, there was
"ips.blocked".
ips.accepted | Total |
1326
ips.blocked | Total | 189
I thought "ips.blocked" = "dropped", but it was not...
Have anyone experienced this and could point out what I should check?
Thank you!
Regards,
Jins
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20170215/c29e239d/attachment.html>
More information about the Oisf-devel
mailing list