Fast.log entry/entries

Hi. I’m new to this IPS thing, so sorry if my question is in the wrong section.
I installed Suricata with some default rules and added the free sources.
It look likes Suricata works because of overnight entries in de fast.log:

02/03/2021-10:03:34.940777 [] [1:2024916:1] ET EXPLOIT Netgear DGN Remote Command Execution [] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 185.238.128.19:51652 → 192.168.5.22:80

I searched for this one in the ruleset (/etc/suricata/rules) and found it in emerging-exploit.rules and sid-msg.map

The rule says:
alert http any any → $HOME_NET any (msg:“ET EXPLOIT Netgear DGN Remote Command Execution”; flow:to_server,established; content:"/setup.cgi?next_file="; nocase; http_uri; content:"&todo=syscmd&cmd="; nocase; distance:0; http_uri; content:“currentsetting.htm”; nocase; fast_pattern; http_uri; reference:url,seclists.org/bugtraq/2013/Jun/8; classtype:attempted-recon; sid:2024916; rev:1; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_13;)

So is this rule only an alert? So it is not blocked?
If it is not blocked, How do block these kind of rules? I tried to find some answers in the documentation, but couldnt find it. My guess is I didn’t look good enough though But anyway I’ll still like to block such attempts in the future.

Thanks

I am probably not the most competent to answer but I will give you my opinion.

When we look at the general rule structure, the first word states the action of the rule. The most basic ones are:

• pass
• alert
• drop

As you can see, in your triggered rule the first word is alert. It just makes a statement for you to see but executes no action against the packet. More on this can be found in the chapter 6.1. Rules Format — Suricata 6.0.0 documentation.

During your installation you probably downloaded the default ruleset - Emerging Threats Open via suricata-update tool. This ruleset is focused on intrusion detection setups and not intrusion prevention setups(IPS). This can be seen in the installed ruleset as almost no rule has the “drop” keyword.

It might be tempting to convert all alert actions to drop but I would be doubtful about this as it would lead to blocking the traffic severely. I would say your best bet is to look for IPS ruleset and replace or update your existing ruleset.

How did you configure Suricata? By default it’s not in the IPS mode but IDS. See 13. Setting up IPS/inline for Linux — Suricata 7.0.0-dev documentation for more details

Thank you both for answering. I have the IPS part running, but the real puzzle was de drop.conf file. I thought suricata-update was just an update for the rules, but it does so much more. So I missed the suricata-update and the drop.conf config file. In the mean time I have a nice IPS up and running. That is, I do see these kind of log entries.

“02/17/2021-07:17:57.699579 [Drop] [**] [1:5000345:1613489402] ETN AGGRESSIVE IPs Group 345 [* *] [Classification: Misc Attack] [Priority: 2] {TCP} 104.206.128.50:54860 → 192.168.5.22:443”

I assume this means the incomming traffic is realy dropped.