Is Suricata dropping the packets or blocking the attacker's IP?

Hello friends,

I have followed this tutorial and managed to get started using Suricata in IPS mode.
https://docs.mirantis.com/mcp/q4-18/mcp-security-best-practices/use-cases/idps-vnf/ips-mode/nfq.html

What I did is:

1. created a test rule
   drop http any any → any any (msg:“Alarm detected”; content:“Alarm”; nocase; classtype:policy-violation; sid:1; rev:1;)
2. loaded suricata with queue
   suricata -c /etc/suricata/suricata.yaml -q 0 -q 1 -D
3. Added the rules in iptables for incoming and outgoing
   iptables -A INPUT -j NFQUEUE
   iptables -A OUTPUT -j NFQUEUE --queue-num 1
4. Then I downloaded the file which I created in apache server.
   wget http://<WEB_SERVER_IP>/test

Output of wget:
wget http://192.168.139.98/test
–2021-01-24 23:47:07-- http://192.168.139.98/test
Connecting to 192.168.139.98:80… connected.
HTTP request sent, awaiting response…

In fast.log:
01/24/2021-23:47:06.972269 [Drop] [] [1:1:1] Alarm detected [] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.139.98:80 → 192.168.139.100:51130

I am unable to download the file which previously I was able to download. Seems like it is dropping the packet after I used Suricata in IPS mode. So, is Suricata able to drop the matching packets only or does it ban/block the attacker’s IP as well like fail2ban? If so, could you share your ideas on how it can be done? Are there any features in Suricata like we can ban/block the attacker’s IP for like an hour or for some amount of time only?

Thank You

Can i ask , i’m new with IDS / ÍPS and im learning about suricata.
When i read Rule Option about “content” option. it says Suricata will match your content in your rules then check with the request. In this example is your link. wget http://192.168.139.98/test
i dont sêe any “alarm” why it still generates alerts to the terminal ?
Thanks for your post!

Yeah sure. I created a test file in apache server which contains the word ‘alarm’.
I also created a rules that will drop the incoming request if any http traffic which msg “alarm” is detected. That’s how alert is seen in the suricata fast.log whenever I try to download that test file which has the word “alarm” in it

Thank You

So you want to drop all packets from IPs triggering some rule?
This is one way to do it.

drop http any any → any any (msg:“Alarm detected”; content:“Alarm”; nocase; xbits:set, myblocklist, track ip_src, expire 3600; classtype:policy-violation; sid:1; rev:1;)
I have modified your rule adding the xbits keyword. All IPs triggering the rule will be added to the “myblocklist” IP list for one hour.

drop ip any any -> any any (msg:"Was on block list"; xbits:isset, myblocklist, track ip_src; sid:2; rev:1;)
This rule drops all packets originating from IPs on the “myblocklist” IP list.

This is great. Thank you @syoc. I have tested it and worked very well. I was able to block an IP for an hour. I think, now I can tweak the rules that are possible threats and ban them for an hour.

Until now, I am using Suricata as IDS mode. Now I want to use it as IPS mode. My question is how do I manage a huge queue with nfqueue in a production environment. Do, I have to create multithreading in Netfilter? Because I don’t want to block the incoming packets if Suricata does not handle it.
Could it be possible to use this in a production environment without hampering any incoming packets?

You can use multiple queues for that, see 13. Setting up IPS/inline for Linux — Suricata 6.0.1 documentation and there is also a bypass option if the queue is not available/too slow.

I will look into multiple queues. Bypass seems a good option when the queue is full or unavailable.
Thank You @Andreas_Herz