[Oisf-users] threshold.conf with rate_limit or drop rules
Jeff Dyke
jeff.dyke at gmail.com
Wed Sep 13 19:53:43 UTC 2017
i am running an array of servers on aws (EC2 instances), one server in both
the staging and production environments has SSH open and 2 have 443/80 open
(active/passive HAProxy instances)
I've been using OSSEC with active-response to block malicious ssh attacks,
and while i like the software and the other things that it finds, I would
like to move this type of logic to the edge servers, using suricata. i'll
concentrate on SSH for now, from there i can apply my knowledge or other
protocols.
If i'm understanding correctly (likely not) i could add a rate_filter into
threshold.conf, or i could add drop rules. What is the best practice in
this instance. I know the threshold.config is getting parsed as i see the
warning
[ERRCODE: SC_ERR_EVENT_ENGINE(210)] - signature sid:2019876 has a threshold
set. The signature event var is given precedence over the threshold.conf
one. Bug #425.
I'm running suricata 4.0.0 RELEASE
Thanks, for any pointers. If rate_filter is correct, how do i convert it
to a drop event when threshold is hit? The docs are great, but i seemed to
have missed this piece.
Jeff
my 4 threshold.config entries.
rate_filter gen_id 1, sig_id 2019876, track by_rule, count 3, seconds 120,
new_action drop, timeout 14400
rate_filter gen_id 1, sig_id 2101638, track by_rule, count 3, seconds 120,
new_action drop, timeout 14400
rate_filter gen_id 1, sig_id 2001219, track by_rule, count 3, seconds 120,
new_action drop, timeout 14400
rate_filter gen_id 1, sig_id 2006546, track by_rule, count 3, seconds 120,
new_action drop, timeout 14400
suppress gen_id 1, sig_id 2221002, track by_src, ip 10.0.0.0/16
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170913/b6620fbf/attachment.html>
More information about the Oisf-users
mailing list