[Oisf-users] Suricata IPS ???

Jeripotula, Shashiraj shashiraj.jeripotula at verizon.com
Fri Oct 31 18:55:40 UTC 2014 

Thank Coop,

For the immediate reponse.

Anoop mentioned the same thing.

But, there are so many rules, so many alerts. Which one to change to drop.

What is the efficient way of using Suricata as IPS and preventing dos attacks.

Thanks

Raj

-----Original Message-----
From: Cooper F. Nelson [mailto:cnelson at ucsd.edu] 
Sent: Friday, October 31, 2014 11:39 AM
To: Jeripotula, Shashiraj; oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Suricata IPS ???

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Have you tried changing the 'alert' keyword to 'drop'?

Beyond that, drop rules don't really work for DOS attacks unless they are a single-packet.  DOS sigs written by threshold are only going to drop the packet that triggers the alert (I think).

- -Coop

On 10/31/2014 11:32 AM, Jeripotula, Shashiraj wrote:
> Hello Team,
> 
>  
> 
> I am evaluating Suricata for one of our product team.
> 
>  
> 
> I have installed Suricata, configured it and its running fine.
> 
>  
> 
> Copied emerging threats rules and using it. Looked at the rules, all 
> of them are alerts and no drops.
> 
>  
> 
> We tried doing an DOS attack, see some basic alerts and nothing 
> matched in emerging-dos.rules, so nothing triggered dos rules.
> 
>  
> 
> I have configured Suricata in IPS mode, with NFQUEUE, but still DOS 
> attack was not prevented.
> 
>  
> 
> Can someone advise, how to make good use of Suricata as IPS. What 
> additional rules should I use. Do I need to learn and write customized 
> rules ???
> 
>  
> 
> Please advise.
> 
>  
> 
> Thanks
> 
> 
> Raj
> 
> 
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: 
> http://suricata-ids.org/support/
> List: 
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
> 


- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJUU9dLAAoJEKIFRYQsa8FWxoIH/iipWeKL9kjmT2fmLf8oY7mT
hF0BS86TPBYxtgvKCqgh+BQY0EgjVwCsr+urG53OqIdYdcvVixZJXl7gLPO+xK0e
szJd2KvXHe/7pBiHIn5Fds2YIxYoz19ZX5NT1xnBwPO4lOD6MsSDbhcwstjJf8OX
v0zqHJ7bRn48d8yZJ3FLr1KE+lr2AeMzvD5erNFyIZpoEMxHHm7cjfpRmPePuM28
DpYbzvHBzP834YSTk0w0X4kgXY7ROh43yDSqHgEfYNgZfWDf33PgxAg5/FwuiJFm
JFI0lz8UksZRsnNwVaxbYfHt6yTxO5xYbQyYGNYW+qFUiT44Fb0ondYRA7g9LwE=
=emPO
-----END PGP SIGNATURE-----

More information about the Oisf-users mailing list