[Oisf-users] suricata IPS and drop.log
Vieri
rentorbuy at yahoo.com
Fri Dec 16 12:41:39 UTC 2016
Hi,
I'm running Suricata in IPS/inline mode and I'm seeing packets that should be dropped according to fast.log but aren't according to drop.log.
For instance, here's a packet that should have been dropped, as I understand it.
fast.log
12/16/2016-13:28:14.171999 [Drop] [**] [1:2001219:20] ET SCAN Potential SSH Scan [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 116.31.116.8:36916 -> 10.215.144.91:22
However, at 13:30 the last line in drop.log is:
12/16/2016-13:18:39.039060: IN= OUT= SRC=163.172.119.247 DST=10.215.144.91 LEN=52 TOS=0x00 TTL=118 ID=2855 PROTO=TCP SPT=50792 DPT=22 SEQ=1033810276 ACK=0 WINDOW=8192 SYN RES=0x00 URGP=0
I was expecting to see a dropped packet from host src IP addr. 116.31.116.8 in drop.log.
Why am I not seeing it?
My /etc/suricata/rules/emerging-scan.rules contains:
drop tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN Potential SSH Scan"; flow:to_server; flags:S,12; threshold: type both, track by_src, count 5, seconds 120; reference:url,en.wikipedia.org/wiki/Brute_force_attack; reference:url,doc.emergingthreats.net/2001219; classtype:attempted-recon; sid:2001219; rev:20;)
I have this in my yaml file:
outputs:
- drop:
enabled: yes
filename: drop.log
append: yes
Suricata 3.2
Thanks,
Vieri
More information about the Oisf-users
mailing list