Hello,
My suricata version 7.0.7 , my operation system is Ubuntu 22.04.2 LTS.
I have a test environment with the following setup: PC1 is on Network1, PC2 (which has Suricata running) forwards all traffic, and PC3 is on Network2, which is different from Network1. What I want to do is drop all packets and only allow access to the ones I specify. For example, I want to allow TCP SYN packets to pass, but I also want to block any DDoS attack attempts that use TCP SYN floods. I am trying to implement this with a rule structure that first drops all packets, but then I also want to add a specific rule to drop TCP SYN packets that match certain criteria. However, when I try to do this, both the ‘drop all’ rule and the ‘drop TCP SYN’ rule seem to overlap and cause issues.
Is there a way to fix the issue I am having, or do I need to approach this entirely differently from the beginning?
Here is my ruleset:
drop ip any any <> any 5060 (msg:“Block DDoS SIP”; ip_proto:tcp; flags:S; flow:stateless; threshold:type both, track by_src, count 20, seconds 10; classtype:attempted-dos; sid:1000100; priority:1; rev:1;)
pass tcp any any <> any 5060 (msg:“Pass TCP SYN”; flags:S; sid:1000300; priority:2; rev:1;)
drop ip any any → any any (msg:“All traffic blocked”; sid:1000500; priority:4; rev:1;)
Thank you for the asisance.