[Oisf-users] suricata IPS and drop.log

Vieri rentorbuy at yahoo.com
Fri Dec 16 12:41:39 UTC 2016


I'm running Suricata in IPS/inline mode and I'm seeing packets that should be dropped according to fast.log but aren't according to drop.log.

For instance, here's a packet that should have been dropped, as I understand it.
12/16/2016-13:28:14.171999  [Drop] [**] [1:2001219:20] ET SCAN Potential SSH Scan [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} ->

However, at 13:30 the last line in drop.log is:
12/16/2016-13:18:39.039060: IN= OUT= SRC= DST= LEN=52 TOS=0x00 TTL=118 ID=2855 PROTO=TCP SPT=50792 DPT=22 SEQ=1033810276 ACK=0 WINDOW=8192 SYN RES=0x00 URGP=0

I was expecting to see a dropped packet from host src IP addr. in drop.log.
Why am I not seeing it?

My /etc/suricata/rules/emerging-scan.rules contains:
drop tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN Potential SSH Scan"; flow:to_server; flags:S,12; threshold: type both, track by_src, count 5, seconds 120; reference:url,en.wikipedia.org/wiki/Brute_force_attack; reference:url,doc.emergingthreats.net/2001219; classtype:attempted-recon; sid:2001219; rev:20;)

I have this in my yaml file:

- drop:
enabled: yes
filename: drop.log
append: yes

Suricata 3.2



More information about the Oisf-users mailing list