[Oisf-users] Suricata IPS ???

Cooper F. Nelson cnelson at ucsd.edu
Fri Oct 31 18:39:07 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Have you tried changing the 'alert' keyword to 'drop'?

Beyond that, drop rules don't really work for DOS attacks unless they
are a single-packet.  DOS sigs written by threshold are only going to
drop the packet that triggers the alert (I think).

- -Coop

On 10/31/2014 11:32 AM, Jeripotula, Shashiraj wrote:
> Hello Team,
> 
>  
> 
> I am evaluating Suricata for one of our product team.
> 
>  
> 
> I have installed Suricata, configured it and its running fine.
> 
>  
> 
> Copied emerging threats rules and using it. Looked at the rules, all of
> them are alerts and no drops.
> 
>  
> 
> We tried doing an DOS attack, see some basic alerts and nothing matched
> in emerging-dos.rules, so nothing triggered dos rules.
> 
>  
> 
> I have configured Suricata in IPS mode, with NFQUEUE, but still DOS
> attack was not prevented.
> 
>  
> 
> Can someone advise, how to make good use of Suricata as IPS. What
> additional rules should I use. Do I need to learn and write customized
> rules ???
> 
>  
> 
> Please advise.
> 
>  
> 
> Thanks
> 
> 
> Raj
> 
> 
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
> 


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJUU9dLAAoJEKIFRYQsa8FWxoIH/iipWeKL9kjmT2fmLf8oY7mT
hF0BS86TPBYxtgvKCqgh+BQY0EgjVwCsr+urG53OqIdYdcvVixZJXl7gLPO+xK0e
szJd2KvXHe/7pBiHIn5Fds2YIxYoz19ZX5NT1xnBwPO4lOD6MsSDbhcwstjJf8OX
v0zqHJ7bRn48d8yZJ3FLr1KE+lr2AeMzvD5erNFyIZpoEMxHHm7cjfpRmPePuM28
DpYbzvHBzP834YSTk0w0X4kgXY7ROh43yDSqHgEfYNgZfWDf33PgxAg5/FwuiJFm
JFI0lz8UksZRsnNwVaxbYfHt6yTxO5xYbQyYGNYW+qFUiT44Fb0ondYRA7g9LwE=
=emPO
-----END PGP SIGNATURE-----



More information about the Oisf-users mailing list