[Oisf-devel] Suricata blocking web server
Victor Julien
lists at inliniac.net
Wed Feb 15 14:16:31 UTC 2017
On 14-02-17 17:26, Jinsheng Chen wrote:
> I am not sure if I should post my question here. If not, please let me
> know where to post... thanks.
>
> I have a web server (CentOS 6) and also have suricata running on it in
> IPS mode:
>
> # suricata -D -q 0
>
> I have configured the rules with oinkmaster and have replaced all
> "ALERT" to "DROP".
> And I have configured iptables so that all traffic goes to suricata:
>
> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 8 464 IPS all -- * * 0.0.0.0/0
> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>
> Chain IPS (9 references)
> pkts bytes target prot opt in out source
> destination
> 8 464 NFQUEUE all -- * * 0.0.0.0/0
> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
> NFQUEUE num 0
It looks like you're missing the OUTPUT chain. Suricata needs to see
both sides of the traffic for its stateful tracking, inspection and logging.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list