[Oisf-users] Suricata not blocking bad traffic

gatodiablo at protonmail.com gatodiablo at protonmail.com
Mon Jul 9 00:55:09 UTC 2018

I want to use suricata in IPS mode and have followed the instructions on the readthedocs site. Suricata is running on a gateway firewall device. I am accessing test exploits on this page: https://www.wicar.org/test-malware.html
The fast.log file shows alerts indicating the malware was detected, however it is not blocked.

I have checked suricata --build-info and nfq is included.

Suricata is started as a service using these arguments

sudo suricata -D -c /etc/suricata/suricata.yaml -q 0 --pidfile /var/run/suricata.pid

Iptables -S

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -j NFQUEUE --queue-num 0
iptables -A FORWARD -i eth1 -o eth0 -j NFQUEUE --queue-num 0
iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
iptables -A -i eth1 -o eth0 -j ACCEPT

Nfq section from suricata.yaml

mode: accept
# repeat_mark: 1
# repeat_mask: 1
# bypass-mark: 1
# bypass-mask: 1
# route-queue: 2
# batchcount: 20
# fail-open: yes

Sent from ProtonMail mobile
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180708/68a91f7b/attachment.html>

More information about the Oisf-users mailing list