As you can see in the iptables -v -L output, the NFQUEUE rule starts with two zero’s: one counts packets, the other bytes. As long as these are 0 Suricata will not receive any traffic.
Can you explain the network topology of your test? What host (+ip) is running Suricata, what host is running hping, what host has the webserver?
The jq errors are odd. They suggest a malformed eve.json file. I would suggest deleting it for now. If it comes back, we can investigate it.
So what thing(s) that could be went wrong from my configuration?
Here’s the topology:
but im still figuring out the solution for hping3. if its done then it will be easier to solve the LOIC one.
So Suricata runs on the 192.168.2.1 server? If so you need iptables rules in the INPUT and OUTPUT chains, not the forward. There is no routing through that box, all traffic as a local destination and origin.
rate_filter in threshold.config? I need to stop the attacks from LOIC too
I am trying to suppress/threshold the alerts matching syn attack signature on which i have applied rate filter.
It seems that only one of suppress/threshold/rate-filter work at a time. I am unable to achieve threshold or suppression on rate-filtered signature.
Is there any solution for this?