How to test Suricata-IDS in IPS mode?

I installed the Suricata-IDS from source code on CentOS 8 with below command:

# ./configure --sysconfdir=/etc --localstatedir=/var --prefix=/usr/ --enable-lua --enable-nfqueue --enable-geoip

And the content of /etc/sysconfig/suricata file is:


You can see more information about my installation and configuration on thread.
Suricata-IDS has below rules:

I want to test Suricata-IDS to ensure that it can protect my server.
I did below command, but Suricata-IDS failed to protecting my server:

$ sudo hping3 -c 10000 -d 120 -S -w 64 -p 22 --flood "IP"

I’m thankful if anyone show me a way to test Suricata-IDS configuration and how it can protect my server.

Thank you.

What does this log mean? Can it mean my IPS working properly?

Counter                                       | TM Name                   | Value
decoder.pkts                                  | Total                     | 15309
decoder.bytes                                 | Total                     | 16231733
decoder.ipv4                                  | Total                     | 15309
decoder.tcp                                   | Total                     | 14767
decoder.udp                                   | Total                     | 520
decoder.icmpv4                                | Total                     | 22
decoder.avg_pkt_size                          | Total                     | 1060
decoder.max_pkt_size                          | Total                     | 1400
flow.tcp                                      | Total                     | 26
flow.udp                                      | Total                     | 318
tcp.sessions                                  | Total                     | 25
tcp.syn                                       | Total                     | 26
tcp.synack                                    | Total                     | 1
tcp.rst                                       | Total                     | 4
app_layer.flow.http                           | Total                     | 1
app_layer.tx.http                             | Total                     | 1
app_layer.flow.failed_udp                     | Total                     | 318
ips.accepted                                  | Total                     | 15308
flow_mgr.new_pruned                           | Total                     | 79
flow.spare                                    | Total                     | 10010
flow_mgr.flows_checked                        | Total                     | 22
flow_mgr.flows_notimeout                      | Total                     | 15
flow_mgr.flows_timeout                        | Total                     | 7
flow_mgr.flows_removed                        | Total                     | 7
flow_mgr.rows_checked                         | Total                     | 65536
flow_mgr.rows_skipped                         | Total                     | 65502
flow_mgr.rows_empty                           | Total                     | 13
flow_mgr.rows_maxlen                          | Total                     | 2
tcp.memuse                                    | Total                     | 2293760
tcp.reassembly_memuse                         | Total                     | 397312
http.memuse                                   | Total                     | 96
flow.memuse                                   | Total                     | 7553024

Can anyone interpret this log for me?

How are you running suricata?
Can you post the complete command if you are running suricata from the command line?

I used tutorial.

Any idea?
What does that log mean?

This is the statistics logfile, see for more details. The log tells you how much packets have been passed to Suricata and what flows have been seen with a breakdown on applayer level.

1 Like

How can I see how many attacks blocked by Suricata-IDS?

# tail /var/log/suricata/fast.log
09/21/2020-10:46:32.637836  [**] [1:2402000:5630] ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2] {TCP} -> "Server IP Address":6000
09/21/2020-10:46:32.637836  [**] [1:2403388:59287] ET CINS Active Threat Intelligence Poor Reputation IP group 89 [**] [Classification: Misc Attack] [Priority: 2] {TCP} -> "Server IP Address":6000
09/21/2020-10:47:53.212951  [**] [1:2010935:3] ET SCAN Suspicious inbound to MSSQL port 1433 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} -> "Server IP Address":1433
09/21/2020-10:48:13.392643  [**] [1:2403329:59287] ET CINS Active Threat Intelligence Poor Reputation IP group 30 [**] [Classification: Misc Attack] [Priority: 2] {TCP} -> "Server IP Address":6000
09/21/2020-10:48:25.114830  [**] [1:2403390:59287] ET CINS Active Threat Intelligence Poor Reputation IP group 91 [**] [Classification: Misc Attack] [Priority: 2] {TCP} -> "Server IP Address":12002
09/21/2020-10:49:43.785522  [**] [1:2010935:3] ET SCAN Suspicious inbound to MSSQL port 1433 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} -> "Server IP Address":1433
09/21/2020-10:49:45.111657  [**] [1:2403378:59287] ET CINS Active Threat Intelligence Poor Reputation IP group 79 [**] [Classification: Misc Attack] [Priority: 2] {TCP} -> "Server IP Address":7777
09/21/2020-10:49:46.779574  [**] [1:2010935:3] ET SCAN Suspicious inbound to MSSQL port 1433 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} -> "Server IP Address":1433
09/21/2020-10:51:24.083897  [**] [1:2402000:5630] ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2] {TCP} -> "Server IP Address":17595
09/21/2020-10:55:15.344186  [**] [1:2403375:59287] ET CINS Active Threat Intelligence Poor Reputation IP group 76 [**] [Classification: Misc Attack] [Priority: 2] {TCP} -> "Server IP Address":143

Nobody know the meaning of this log?

For ET rules you can search bid SID. Here is the result for 2402000:

These rules are generated from datasets outside of ET those, for example, the ET DROP Dshield block list has this description:

Dshield Top Attackers This ruleset takes a daily list of the top attackers reported to Dshield and converts them into Snort signatures…

So you should look into the DShield project to learn more. I’ve seen l legitimate traffic trigger these, such as NTP, and other stuff. So they are indicators, but how actionable they are depends on you and your risk profile.

Thus, Suricata-IDS is running and blocked some attacks?

It did detect, not block, those events (doesn’t have to be an attack). This is only possible if you run it in IPS mode and have converted the alert rules to drop.

I’m running Suricata-IDS in IPS mode.
What does “converted the alert rules to drop” mean? I must open all rules and convert all “alert” to “drop” ?

It’d be helpful to rule the rules format –

Rules are split into 3 pieces

  1. Action (drop, alert, or pass)
  2. Header (protocol, ip address(es), ports)
  3. Options (additional qualification values to determine if the packet/flow/whatever match)

So rules that specify alert will provide notification, those labeled drop will drop matching packets (applies to IPS mode only).

1 Like

Thank you.
Consider “app-layer-events.rules” file. Its content is:

# App layer event  rules
# SID's fall in the 2260000+ range. See
# These sigs fire at most once per connection.
# A flowint applayer.anomaly.count is incremented for each match. By default it will be 0.
alert ip any any -> any any (msg:"SURICATA Applayer Mismatch protocol both directions"; flow:established; app-layer-event:applayer_mismatch_protocol_both_directions; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:2260000; rev:1;)
alert ip any any -> any any (msg:"SURICATA Applayer Wrong direction first Data"; flow:established; app-layer-event:applayer_wrong_direction_first_data; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:2260001; rev:1;)
alert ip any any -> any any (msg:"SURICATA Applayer Detect protocol only one direction"; flow:established; app-layer-event:applayer_detect_protocol_only_one_direction; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:2260002; rev:1;)
alert ip any any -> any any (msg:"SURICATA Applayer Protocol detection skipped"; flow:established; app-layer-event:applayer_proto_detection_skipped; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:2260003; rev:1;)
# alert if STARTTLS was not followed by actual SSL/TLS
alert tcp any any -> any any (msg:"SURICATA Applayer No TLS after STARTTLS"; flow:established; app-layer-event:applayer_no_tls_after_starttls; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:2260004; rev:2;)
# unexpected protocol in protocol upgrade
alert tcp any any -> any any (msg:"SURICATA Applayer Unexpected protocol"; flow:established; app-layer-event:applayer_unexpected_protocol; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:2260005; rev:1;)

#next sid is 2260006

If I change all “alert” to “drop” then it will be OK?
Can I use “Find and Replace” feature in an Editor for doing it? Some rules are long and
has been messed up.

Make sure there are no unintended changes to the rules – note that Suricata will not load rules with syntax or structural issues – suricata.log (and the console, if available) will contain information about rules that couldn’t be loaded.

1 Like

Thank you.
My current rules are:

# ls /etc/suricata/rules/
app-layer-events.rules          emerging-shellcode.rules
botcc.portgrouped.rules         emerging-trojan.rules
botcc.rules                     emerging-worm.rules
decoder-events.rules            files.rules
detect-dos.rules                http-events.rules
dhcp-events.rules               ipsec-events.rules
dnp3-events.rules               kerberos-events.rules
dns-events.rules                modbus-events.rules
drop.rules                      nfs-events.rules
dshield.rules                   ntp-events.rules
emerging-attack_response.rules  smb-events.rules
emerging-deleted.rules          smtp-events.rules
emerging-exploit.rules          stream-events.rules
emerging-malware.rules          tls-events.rules
emerging-mobile_malware.rules   tor.rules

For a LAMP server, which one of these rules are harmless for test?

If you want to test specific attacks you should pick those rules that would match on those. If you want to test just running it overall you should include the default set provided by ET or start with a run for each file.