[Oisf-users] Suricata IPS ???
Cooper F. Nelson
cnelson at ucsd.edu
Fri Oct 31 18:39:07 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Have you tried changing the 'alert' keyword to 'drop'?
Beyond that, drop rules don't really work for DOS attacks unless they
are a single-packet. DOS sigs written by threshold are only going to
drop the packet that triggers the alert (I think).
- -Coop
On 10/31/2014 11:32 AM, Jeripotula, Shashiraj wrote:
> Hello Team,
>
>
>
> I am evaluating Suricata for one of our product team.
>
>
>
> I have installed Suricata, configured it and its running fine.
>
>
>
> Copied emerging threats rules and using it. Looked at the rules, all of
> them are alerts and no drops.
>
>
>
> We tried doing an DOS attack, see some basic alerts and nothing matched
> in emerging-dos.rules, so nothing triggered dos rules.
>
>
>
> I have configured Suricata in IPS mode, with NFQUEUE, but still DOS
> attack was not prevented.
>
>
>
> Can someone advise, how to make good use of Suricata as IPS. What
> additional rules should I use. Do I need to learn and write customized
> rules ???
>
>
>
> Please advise.
>
>
>
> Thanks
>
>
> Raj
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
>
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iQEcBAEBAgAGBQJUU9dLAAoJEKIFRYQsa8FWxoIH/iipWeKL9kjmT2fmLf8oY7mT
hF0BS86TPBYxtgvKCqgh+BQY0EgjVwCsr+urG53OqIdYdcvVixZJXl7gLPO+xK0e
szJd2KvXHe/7pBiHIn5Fds2YIxYoz19ZX5NT1xnBwPO4lOD6MsSDbhcwstjJf8OX
v0zqHJ7bRn48d8yZJ3FLr1KE+lr2AeMzvD5erNFyIZpoEMxHHm7cjfpRmPePuM28
DpYbzvHBzP834YSTk0w0X4kgXY7ROh43yDSqHgEfYNgZfWDf33PgxAg5/FwuiJFm
JFI0lz8UksZRsnNwVaxbYfHt6yTxO5xYbQyYGNYW+qFUiT44Fb0ondYRA7g9LwE=
=emPO
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list