[Oisf-users] Suricata not blocking bad traffic

gatodiablo at protonmail.com gatodiablo at protonmail.com
Mon Jul 9 01:58:35 UTC 2018

Alert I think. Do I need a different set of rules to run in IPS mode? I ideally want it to both alert and drop anything that matches a rule.

Sent from ProtonMail mobile

-------- Original Message --------
On Jul 8, 2018, 6:58 PM, Leonard wrote:

> Do your signatures have alert or drop set for the action?
> On Jul 8, 2018, at 7:55 PM, gatodiablo at protonmail.com wrote:
>> I want to use suricata in IPS mode and have followed the instructions on the readthedocs site. Suricata is running on a gateway firewall device. I am accessing test exploits on this page: https://www.wicar.org/test-malware.html
>> The fast.log file shows alerts indicating the malware was detected, however it is not blocked.
>> I have checked suricata --build-info and nfq is included.
>> Suricata is started as a service using these arguments
>> sudo suricata -D -c /etc/suricata/suricata.yaml -q 0 --pidfile /var/run/suricata.pid
>> Iptables -S
>> iptables -P INPUT DROP
>> iptables -P FORWARD DROP
>> iptables -P OUTPUT ACCEPT
>> iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
>> iptables -A FORWARD -i eth0 -o eth1 -j NFQUEUE --queue-num 0
>> iptables -A FORWARD -i eth1 -o eth0 -j NFQUEUE --queue-num 0
>> iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
>> iptables -A -i eth1 -o eth0 -j ACCEPT
>> Nfq section from suricata.yaml
>> nfq:
>> mode: accept
>> # repeat_mark: 1
>> # repeat_mask: 1
>> # bypass-mark: 1
>> # bypass-mask: 1
>> # route-queue: 2
>> # batchcount: 20
>> # fail-open: yes
>> Sent from ProtonMail mobile
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
> This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error please notify Netsecuris management at mgmt at netsecuris.com. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Netsecuris Inc. The integrity and security of this message cannot be guaranteed on the Internet
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180708/dcf5d09b/attachment.html>

More information about the Oisf-users mailing list