Fail to drop centos 8 stream

i installed suricata from centos 8 stream’s repo version 6.0.12 running with -q0 -q1 -q2 -q3 -q4 -q5
nftables configed:

    chain IPS {
            type filter hook forward priority 10;
            counter queue num 0-5 fanout,bypass

i edited emereging-p2p.rules from alerts to drops

but it only alerts and alerts killed myself it only alerts with action allowed
this is gateway and has only one single interface with public ip

thanks in advance

Can you rephrase this sentence? It’s a bit hard to understand what you mean.

Also post the suricata.yaml and ideally suricata.log and stats.log as well.

i mean it only produces alert without any drop in logs. i need this [Drop] [] but it only make []





i sent what you said just let me know it is suricata’s bug on centos or my misconfiguration ?

also i tried nfq: mode instead af-packet: but i get same result it just alerts without any drop

25/6/2023 – 20:36:43 - – Using data-directory /var/lib/suricata.
25/6/2023 – 20:36:43 - – Using Suricata configuration /etc/suricata/suricata.yaml
25/6/2023 – 20:36:43 - – Using /usr/share/suricata/rules for Suricata provided rules.
25/6/2023 – 20:36:43 - – Found Suricata version 6.0.12 at /usr/sbin/suricata.

so why rule files are in /etc/suricata/rules ???

suricata’s learning curve is a huge disaster a maze incorrectly documented, different behavior in different distros
suricata.yaml most of the time is useless just command line switches have effect most of the times

i finally fixed it on centos a dedicated server but on vps(ubuntu22 suricata 6.0.13) there is some problem maybe like port mirroring of host or promisc mode of network interface
fast.log is null at all and only i get eve.log output without any alert and drop based on rules

{“timestamp”:“2023-06-28T00:34:29.048370+0330”,“flow_id”:2192146188477823,“event_type”:“tls”,“src_ip”:“”,“src_port”:45828,“dest_ip”:“”,“dest_port”:443,“proto”:“TCP”,“tls”:{“sni”:“”,“version”:“TLS 1.3”,“ja3”:{},“ja3s”:{}}}
{“timestamp”:“2023-06-28T00:34:29.134818+0330”,“flow_id”:2048664216065805,“event_type”:“tls”,“src_ip”:“”,“src_port”:38536,“dest_ip”:“”,“dest_port”:443,“proto”:“TCP”,“tls”:{“sni”:“”,“version”:“TLS 1.3”,“ja3”:{},“ja3s”:{}}}

Have you had any success getting your rules to fire? If not, may I suggest…

  • Provide the Linux distribution you are using and how you installed Suricata on that distribution. Yes, packaging for different distributions can do things differently. Stick to one while debugging. Here I see Ubuntu and CentOS, so its hard to provide help.
  • First try to get alerts in IDS mode before moving to an IPS mode, if possible in your environment.

In centos 8 stream problem was that i didnt define enable.conf drop.conf and disable.conf because those file wasnt there after installation how user should know those file should be defined in etc/suricata/??? So try and error made this result and fixed my problem
But now in ubuntu vps config is same but it doesnt log too much
I only install suricata from default repo for any distribution

default-rule-path: /var/lib/suricata/rules


  • suricata.rules
  • /etc/suricata/prv.rules

ok in this ubuntu 22 that i installed suricata 6.0.13 from default repo
will read my prv.rules but it doesnt read suricata.rules in some ways will bypass it after i run:

suricata-update (after enabling sources and enabling them from enable.conf)
suricata -T (no error)
suricatasc -c reload-rules (this command will get time to complete in dedicated server centos 8 stream with 6 cores cpu but in this 4 cores cpu vps it doesnt get any time under second its done)

centos result:
suricatasc -c ruleset-stats
{“message”: [{“id”: 0, “rules_loaded”: 49680, “rules_failed”: 0}], “return”: “OK”}

ubuntu result with same config:
suricatasc -c ruleset-stats
{“message”: [{“id”: 0, “rules_loaded”: 10, “rules_failed”: 0}], “return”: “OK”}

so there is not any idea ?

Please post your config files and the full suricata.log. Otherwise it’s hard to debug.