[Oisf-users] threshold.conf with rate_limit or drop rules

amar countersnipe.com amar at countersnipe.com
Wed Sep 13 22:02:13 UTC 2017

Hi Jeff

Just an initial thought. Most of the services can be controlled via the service daemons. For example ssh login frequency can be controlled via sshd_config using

MaxAuthTries X(number you are happy with) or using MaxStartups

Alternatively, since you are using iptables, an even better approach would be to use iptables with something like:

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds X --hitcount Y --rttl --name SSH -j DROP

Once you have eliminated the basic problem then you could get Suricata to inspect deeper.

Hope I didn't just miss the requirement in the first place.


Amar Rathore
CounterSnipe - Suricata based IDS/IPS with so much more.

> On September 13, 2017 at 3:57 PM Jeff Dyke <jeff.dyke at gmail.com> wrote:
>     I should have stated that i'm successfully attached to NFQUEUE in inline/IPS mode.  <Info> - NFQ running in standard ACCEPT/DROP mode.
>     On Wed, Sep 13, 2017 at 3:53 PM, Jeff Dyke <jeff.dyke at gmail.com mailto:jeff.dyke at gmail.com > wrote:
>         > >         i am running an array of servers on aws (EC2 instances), one server in both the staging and production environments has SSH open and 2 have 443/80 open (active/passive HAProxy instances)
> > 
> >         I've been using OSSEC with active-response to block malicious ssh attacks, and while i like the software and the other things that it finds, I would like to move this type of logic to the edge servers, using suricata.  i'll concentrate on SSH for now, from there i can apply my knowledge or other protocols.
> > 
> >         If i'm understanding correctly (likely not) i could add a rate_filter into threshold.conf, or i could add drop rules.  What is the best practice in this instance.  I know the threshold.config is getting parsed as i see the warning 
> >         [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - signature sid:2019876 has a threshold set. The signature event var is given precedence over the threshold.conf one. Bug #425.  
> > 
> >         I'm running suricata 4.0.0 RELEASE
> > 
> >         Thanks, for any pointers.  If rate_filter is correct, how do i convert it to a drop event when threshold is hit?  The docs are great, but i seemed to have missed this piece.
> > 
> >         Jeff
> > 
> >         my 4 threshold.config entries.
> >         rate_filter gen_id 1, sig_id 2019876, track by_rule, count 3, seconds 120, new_action drop, timeout 14400
> >         rate_filter gen_id 1, sig_id 2101638, track by_rule, count 3, seconds 120, new_action drop, timeout 14400
> >         rate_filter gen_id 1, sig_id 2001219, track by_rule, count 3, seconds 120, new_action drop, timeout 14400
> >         rate_filter gen_id 1, sig_id 2006546, track by_rule, count 3, seconds 120, new_action drop, timeout 14400
> >         suppress gen_id 1, sig_id 2221002, track by_src, iphttp://
> > 
> > 
> > 
> >     > 
>     _______________________________________________
>     Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>     Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>     List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>     Conference: https://suricon.net
>     Trainings: https://suricata-ids.org/training/

Kind regards

Amar Rathore

CounterSnipe Systems LLC
Tel: +1 617 701 7213
Mobile: +44 (0) 7876 233333
Skype ID: amarrathore
Web: www.countersnipe.com <http://www.countersnipe.com/>

This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170913/1a9831aa/attachment-0002.html>

More information about the Oisf-users mailing list