[Oisf-users] threshold.conf with rate_limit or drop rules

Jeff Dyke jeff.dyke at gmail.com
Wed Sep 13 19:57:05 UTC 2017 

I should have stated that i'm successfully attached to NFQUEUE in
inline/IPS mode.  <Info> - NFQ running in standard ACCEPT/DROP mode.

On Wed, Sep 13, 2017 at 3:53 PM, Jeff Dyke <jeff.dyke at gmail.com> wrote:

> i am running an array of servers on aws (EC2 instances), one server in
> both the staging and production environments has SSH open and 2 have 443/80
> open (active/passive HAProxy instances)
>
> I've been using OSSEC with active-response to block malicious ssh attacks,
> and while i like the software and the other things that it finds, I would
> like to move this type of logic to the edge servers, using suricata.  i'll
> concentrate on SSH for now, from there i can apply my knowledge or other
> protocols.
>
> If i'm understanding correctly (likely not) i could add a rate_filter into
> threshold.conf, or i could add drop rules.  What is the best practice in
> this instance.  I know the threshold.config is getting parsed as i see the
> warning
> [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - signature sid:2019876 has a
> threshold set. The signature event var is given precedence over the
> threshold.conf one. Bug #425.
>
> I'm running suricata 4.0.0 RELEASE
>
> Thanks, for any pointers.  If rate_filter is correct, how do i convert it
> to a drop event when threshold is hit?  The docs are great, but i seemed to
> have missed this piece.
>
> Jeff
>
> my 4 threshold.config entries.
> rate_filter gen_id 1, sig_id 2019876, track by_rule, count 3, seconds 120,
> new_action drop, timeout 14400
> rate_filter gen_id 1, sig_id 2101638, track by_rule, count 3, seconds 120,
> new_action drop, timeout 14400
> rate_filter gen_id 1, sig_id 2001219, track by_rule, count 3, seconds 120,
> new_action drop, timeout 14400
> rate_filter gen_id 1, sig_id 2006546, track by_rule, count 3, seconds 120,
> new_action drop, timeout 14400
> suppress gen_id 1, sig_id 2221002, track by_src, ip 10.0.0.0/16
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170913/0ba89498/attachment-0002.html>

More information about the Oisf-users mailing list