Is Suricata dropping the packets or blocking the attacker's IP?

Hello friends,

I have followed this tutorial and managed to get started using Suricata in IPS mode.

What I did is:

  1. created a test rule
    drop http any any → any any (msg:“Alarm detected”; content:“Alarm”; nocase; classtype:policy-violation; sid:1; rev:1;)
  2. loaded suricata with queue
    suricata -c /etc/suricata/suricata.yaml -q 0 -q 1 -D
  3. Added the rules in iptables for incoming and outgoing
    iptables -A INPUT -j NFQUEUE
    iptables -A OUTPUT -j NFQUEUE --queue-num 1
  4. Then I downloaded the file which I created in apache server.
    wget http://<WEB_SERVER_IP>/test

Output of wget:
–2021-01-24 23:47:07--
Connecting to… connected.
HTTP request sent, awaiting response…

In fast.log:
01/24/2021-23:47:06.972269 [Drop] [] [1:1:1] Alarm detected [] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} →

I am unable to download the file which previously I was able to download. Seems like it is dropping the packet after I used Suricata in IPS mode. So, is Suricata able to drop the matching packets only or does it ban/block the attacker’s IP as well like fail2ban? If so, could you share your ideas on how it can be done? Are there any features in Suricata like we can ban/block the attacker’s IP for like an hour or for some amount of time only?

Thank You

1 Like

Can i ask , i’m new with IDS / ÍPS and im learning about suricata.
When i read Rule Option about “content” option. it says Suricata will match your content in your rules then check with the request. In this example is your link. wget
i dont sêe any “alarm” why it still generates alerts to the terminal ?
Thanks for your post!

Yeah sure. I created a test file in apache server which contains the word ‘alarm’.
I also created a rules that will drop the incoming request if any http traffic which msg “alarm” is detected. That’s how alert is seen in the suricata fast.log whenever I try to download that test file which has the word “alarm” in it

Thank You

So you want to drop all packets from IPs triggering some rule?
This is one way to do it.

drop http any any → any any (msg:“Alarm detected”; content:“Alarm”; nocase; xbits:set, myblocklist, track ip_src, expire 3600; classtype:policy-violation; sid:1; rev:1;)
I have modified your rule adding the xbits keyword. All IPs triggering the rule will be added to the “myblocklist” IP list for one hour.

drop ip any any -> any any (msg:"Was on block list"; xbits:isset, myblocklist, track ip_src; sid:2; rev:1;)
This rule drops all packets originating from IPs on the “myblocklist” IP list.

1 Like

This is great. Thank you @syoc. I have tested it and worked very well. I was able to block an IP for an hour. I think, now I can tweak the rules that are possible threats and ban them for an hour.

Until now, I am using Suricata as IDS mode. Now I want to use it as IPS mode. My question is how do I manage a huge queue with nfqueue in a production environment. Do, I have to create multithreading in Netfilter? Because I don’t want to block the incoming packets if Suricata does not handle it.
Could it be possible to use this in a production environment without hampering any incoming packets?

You can use multiple queues for that, see 13. Setting up IPS/inline for Linux — Suricata 6.0.1 documentation and there is also a bypass option if the queue is not available/too slow.

1 Like

I will look into multiple queues. Bypass seems a good option when the queue is full or unavailable.
Thank You @Andreas_Herz