[Oisf-users] How do I get IPF mode to, well, P?
Leonard Jacobs
ljacobs at netsecuris.com
Sat Mar 5 00:06:06 UTC 2016
Just because the signature has the word drop in it does not mean it will drop the packet unles you have IPS mode configured and action in signature is set to "drop"
Do you have IPS mode configured and enabled? Either use NFQUEUE compiled in Suricata or use AF-Packet mode.
Leonard
From: James Moe <jimoe at sohnen-moe.com>
To: "oisf-users at lists.openinfosecfoundation.org" <oisf-users at lists.openinfosecfoundation.org>
Sent: 3/4/2016 6:02 PM
Subject: [Oisf-users] How do I get IPF mode to, well, P?
Hello,
opensuse 42.1
linux 4.1.15-8-default x86_64
suricata 3.0
suricata is built in IPF mode using NFQUEUE.
I see this in <fast.log>, thinking the packet should be dropped:
03/04/2016-13:34:38.972801 [**] [1:2402000:3998] ET DROP Dshield Block
Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2]
{TCP} 185.130.5.98:43578 -> 192.168.69.246:587
<drop.log> is size 0, as always.
- drop:
enabled: yes # no
filename: drop.log
append: yes
My understanding of IPF was that suricata would block, or drop,
certain packets to prevent intrusion. Clearly my understanding is deficient.
How does suricata actually prevent intrusion?
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160304/f41abd80/attachment-0002.html>
More information about the Oisf-users
mailing list