[Oisf-users] Suricata not blocking bad traffic
gatodiablo at protonmail.com
gatodiablo at protonmail.com
Mon Jul 9 00:55:09 UTC 2018
I want to use suricata in IPS mode and have followed the instructions on the readthedocs site. Suricata is running on a gateway firewall device. I am accessing test exploits on this page: https://www.wicar.org/test-malware.html
The fast.log file shows alerts indicating the malware was detected, however it is not blocked.
I have checked suricata --build-info and nfq is included.
Suricata is started as a service using these arguments
sudo suricata -D -c /etc/suricata/suricata.yaml -q 0 --pidfile /var/run/suricata.pid
Iptables -S
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -j NFQUEUE --queue-num 0
iptables -A FORWARD -i eth1 -o eth0 -j NFQUEUE --queue-num 0
iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
iptables -A -i eth1 -o eth0 -j ACCEPT
Nfq section from suricata.yaml
nfq:
mode: accept
# repeat_mark: 1
# repeat_mask: 1
# bypass-mark: 1
# bypass-mask: 1
# route-queue: 2
# batchcount: 20
# fail-open: yes
Sent from ProtonMail mobile
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180708/68a91f7b/attachment.html>
More information about the Oisf-users
mailing list