[Oisf-users] deciding what to drop in suricata IPS

Vieri rentorbuy at yahoo.com
Fri Dec 9 22:13:50 UTC 2016 

Hi,

I'm new to Suricata and Snort.

I'm trying to figure out how to activate IPS mode so that packets that are classified as a threat can be dropped.

On my gateway router, I'm launching 
suricata -q 0 -c /etc/suricata/suricata.yaml 
and iptables is forwarding traffic to queue 0.

I can see from the logs (fast.log) that Suricata is detecting potential attacks but I'm not sure they're being blocked because /var/log/suricata/drop.log is empty and I have this in the config file:

outputs:
- drop:
enabled: yes
filename: drop.log
append: yes

fast.log has messages such as:

12/09/2016-22:46:31.396745  [**] [1:2500016:4174] ET COMPROMISED Known Compromised or Hostile Host Traffic group 9 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 1.2.3.4:51499 -> 10.215.144.91:22

but nothing in drop.log.

Do I need to enable IPS mode by uncommenting the following?

af-packet:
- interface: eth0
copy-mode: ips

Do I need to define "copy-iface" (I'm running with -q 0)?

I'm also using:

host-mode: auto

stream:
inline: auto

I have nothing defined in 
nfq:

The stats.log file contains:

Date: 12/9/2016 -- 22:58:30 (uptime: 0d, 00h 28m 35s)
------------------------------------------------------------------------------------
Counter                                    | TM Name                   | Value
------------------------------------------------------------------------------------
decoder.pkts                               | Total                     | 375999
decoder.bytes                              | Total                     | 406375462
decoder.ipv4                               | Total                     | 375999
decoder.tcp                                | Total                     | 369451
decoder.udp                                | Total                     | 6336
decoder.icmpv4                             | Total                     | 167
decoder.avg_pkt_size                       | Total                     | 1080
decoder.max_pkt_size                       | Total                     | 1492
tcp.sessions                               | Total                     | 196
tcp.syn                                    | Total                     | 257
tcp.synack                                 | Total                     | 7724
tcp.rst                                    | Total                     | 8382
detect.alert                               | Total                     | 39
ips.accepted                               | Total                     | 343667
ips.blocked                                | Total                     | 32332
flow_mgr.new_pruned                        | Total                     | 13966
flow.spare                                 | Total                     | 10000
tcp.memuse                                 | Total                     | 286720
tcp.reassembly_memuse                      | Total                     | 12244864
flow.memuse                                | Total                     | 6274304

Also, how can I tell Suricata when to drop packets? For instance, suppose I want all threats with classification priority <=2 to be blocked. 

Finally, is there a way to add the IP address of a host that supposedly poses a threat to an IPset? In the fast.log example posted above, how can I add source address 1.2.3.4 to an IPset?

Thanks,

Vieri

More information about the Oisf-users mailing list