Fail to drop centos 8 stream

imherenotyet · June 22, 2023, 4:03pm

hi,
i installed suricata from centos 8 stream’s repo version 6.0.12 running with -q0 -q1 -q2 -q3 -q4 -q5
nftables configed:

    chain IPS {
            type filter hook forward priority 10;
            counter queue num 0-5 fanout,bypass
    }

i edited emereging-p2p.rules from alerts to drops

but it only alerts and alerts killed myself it only alerts with action allowed
this is gateway and has only one single interface with public ip

thanks in advance

Andreas_Herz · June 22, 2023, 4:05pm

Can you rephrase this sentence? It’s a bit hard to understand what you mean.

Also post the suricata.yaml and ideally suricata.log and stats.log as well.

imherenotyet · June 22, 2023, 4:26pm

i mean it only produces alert without any drop in logs. i need this [Drop] [] but it only make []

/etc/sysconfig/suricata

/etc/suricata/suricata.yaml

/var/log/suricata/suricata.log

/var/log/suricata/stats.log

imherenotyet · June 23, 2023, 6:50pm

i sent what you said just let me know it is suricata’s bug on centos or my misconfiguration ?

imherenotyet · June 24, 2023, 11:56am

also i tried nfq: mode instead af-packet: but i get same result it just alerts without any drop

imherenotyet · June 25, 2023, 5:18pm

25/6/2023 – 20:36:43 - – Using data-directory /var/lib/suricata.
25/6/2023 – 20:36:43 - – Using Suricata configuration /etc/suricata/suricata.yaml
25/6/2023 – 20:36:43 - – Using /usr/share/suricata/rules for Suricata provided rules.
25/6/2023 – 20:36:43 - – Found Suricata version 6.0.12 at /usr/sbin/suricata.

so why rule files are in /etc/suricata/rules ???

imherenotyet · June 27, 2023, 4:03pm

suricata’s learning curve is a huge disaster a maze incorrectly documented, different behavior in different distros
suricata.yaml most of the time is useless just command line switches have effect most of the times

imherenotyet · June 27, 2023, 9:20pm

i finally fixed it on centos a dedicated server but on vps(ubuntu22 suricata 6.0.13) there is some problem maybe like port mirroring of host or promisc mode of network interface
fast.log is null at all and only i get eve.log output without any alert and drop based on rules

eve.log:
{“timestamp”:“2023-06-28T00:34:28.993934+0330”,“flow_id”:573770299091598,“event_type”:“dns”,“src_ip”:“10.0.143.250”,“src_port”:64690,“dest_ip”:“1.0.0.1”,“dest_port”:53,“proto”:“UDP”,“dns”:{“type”:“query”,“id”:42501,“rrname”:“play.google.com”,“rrtype”:“A”,“tx_id”:0,“opcode”:0}}
{“timestamp”:“2023-06-28T00:34:29.001929+0330”,“flow_id”:573770299091598,“event_type”:“dns”,“src_ip”:“10.0.143.250”,“src_port”:64690,“dest_ip”:“1.0.0.1”,“dest_port”:53,“proto”:“UDP”,“dns”:{“version”:2,“type”:“answer”,“id”:42501,“flags”:“8180”,“qr”:true,“rd”:true,“ra”:true,“opcode”:0,“rrname”:“play.google.com”,“rrtype”:“A”,“rcode”:“NOERROR”,“answers”:[{“rrname”:“play.google.com”,“rrtype”:“A”,“ttl”:294,“rdata”:“142.251.39.110”}],“grouped”:{“A”:[“142.251.39.110”]}}}
{“timestamp”:“2023-06-28T00:34:29.048370+0330”,“flow_id”:2192146188477823,“event_type”:“tls”,“src_ip”:“10.0.110.235”,“src_port”:45828,“dest_ip”:“216.58.214.10”,“dest_port”:443,“proto”:“TCP”,“tls”:{“sni”:“pubsub.googleapis.com”,“version”:“TLS 1.3”,“ja3”:{},“ja3s”:{}}}
{“timestamp”:“2023-06-28T00:34:29.134818+0330”,“flow_id”:2048664216065805,“event_type”:“tls”,“src_ip”:“10.0.90.50”,“src_port”:38536,“dest_ip”:“216.58.214.10”,“dest_port”:443,“proto”:“TCP”,“tls”:{“sni”:“pubsub.googleapis.com”,“version”:“TLS 1.3”,“ja3”:{},“ja3s”:{}}}

ish · July 4, 2023, 5:50pm

Have you had any success getting your rules to fire? If not, may I suggest…

Provide the Linux distribution you are using and how you installed Suricata on that distribution. Yes, packaging for different distributions can do things differently. Stick to one while debugging. Here I see Ubuntu and CentOS, so its hard to provide help.
First try to get alerts in IDS mode before moving to an IPS mode, if possible in your environment.

imherenotyet · July 5, 2023, 6:28am

In centos 8 stream problem was that i didnt define enable.conf drop.conf and disable.conf because those file wasnt there after installation how user should know those file should be defined in etc/suricata/??? So try and error made this result and fixed my problem
But now in ubuntu vps config is same but it doesnt log too much
I only install suricata from default repo for any distribution

imherenotyet · July 5, 2023, 2:51pm

default-rule-path: /var/lib/suricata/rules

rule-files:

suricata.rules
/etc/suricata/prv.rules

ok in this ubuntu 22 that i installed suricata 6.0.13 from default repo
will read my prv.rules but it doesnt read suricata.rules in some ways will bypass it after i run:

suricata-update (after enabling sources and enabling them from enable.conf)
suricata -T (no error)
suricatasc -c reload-rules (this command will get time to complete in dedicated server centos 8 stream with 6 cores cpu but in this 4 cores cpu vps it doesnt get any time under second its done)

centos result:
suricatasc -c ruleset-stats
{“message”: [{“id”: 0, “rules_loaded”: 49680, “rules_failed”: 0}], “return”: “OK”}

ubuntu result with same config:
suricatasc -c ruleset-stats
{“message”: [{“id”: 0, “rules_loaded”: 10, “rules_failed”: 0}], “return”: “OK”}

imherenotyet · July 15, 2023, 9:15am

so there is not any idea ?

Andreas_Herz · July 31, 2023, 8:03pm

Please post your config files and the full suricata.log. Otherwise it’s hard to debug.

Topic		Replies	Views
Suricata 5.0.6 inline on RHEL dropping tls traffic with no alerts Help ips , centos , rules	4	891	August 29, 2021
Drop log false positive records possible since 6.0.6? Help ips , suricata , events , opnsense	6	711	March 28, 2023
Suricata in IPS mode dropping tcp traffic Help ips	16	2350	April 24, 2024
The "drop.log" file Help	9	2502	October 16, 2020
Help Needed ! Suricata drops - ,"metadata":{"flowints":{"http.anomaly.count":1}}, Rules ips , rules	5	292	October 7, 2023

Fail to drop centos 8 stream

Related topics