Missing 1 piece of the puzzle

AndreSeesink · February 5, 2021, 1:09pm

I just started with Suricata (version 6.0.1) on Ubuntu server.
I do understand what IDS, IPS and iptables are, but there is one piece of the puzzle that I still don’t understand. Oh and I did read the documentation .

Installing Suricata (and after the installation do a suricata-update) makes that there is a default installation. With “suricata-update enable-source” I enabled the non-commercial rulesets. for example “suricata-update enable-source et/open”
The detection is working, because I see entries in the fast.log and eve.json.

Tthe default installation makes it that Suricata is an IDS system. It only alerts. (please correct me if I’m wrong!).

But what puzzles me is how to change a default rule from “alert” to “drop”.

For example. The next entry is in the eve.json file is triggered by my default installation.

{
“timestamp”: “2021-02-05T12:22:52.833975+0000”,
“flow_id”: 1931222203671012,
“in_iface”: “eth0”,
“event_type”: “alert”,
“src_ip”: “192.168.5.22”,
“src_port”: 80,
“dest_ip”: “172.105.77.209”,
“dest_port”: 38937,
“proto”: “TCP”,
“metadata”: {
“flowints”: {
“applayer.anomaly.count”: 1
}
},
“alert”: {
“action”: “allowed”,
“gid”: 1,
“signature_id”: 2260002,
“rev”: 1,
“signature”: “SURICATA Applayer Detect protocol only one direction”,
“category”: “Generic Protocol Command Decode”,
“severity”: 3
},
“http”: {
“http_port”: 0,
“http_method”: “\xaa\xaa\xaa\xaaUUUUUUUU\xaa\xaa\xaa\xaaUUUU\xaa\xaa\xaa\xaaUUUU\xaa\xaa\xaa\xaaUUUU\xaa\xaa\xaa\xaaUUUU\xaa\xaa\xaa\xaaUUUU\xaa\xaa\xaa\xaaUUUU\xaa\xaa\xaa\xaa”,
“length”: 327
},
“app_proto”: “http”,
“app_proto_ts”: “failed”,
“flow”: {
“pkts_toserver”: 4,
“pkts_toclient”: 4,
“bytes_toserver”: 298,
“bytes_toclient”: 547,
“start”: “2021-02-05T12:09:18.893412+0000”
}
}

This now is an event_type alert but I would rather have these kind of attacks to be blocked (dropped). So how can a change a default rule that it wil not sent an alert but drop such kind of attacks? Do I simply edit the /var/lib/suricata/rules/suricata.rules file and change the rule from alert to drop?
By enabling iptables a rule will not suddenly block, the rule itself will stay as an alert type.

Be aware that I’m talking about the default set of rules that are deliverd. I have not written the rule by myself!

Can someone enlighten me how this works? How to drop instead of alert.

Thanks.

syoc · February 5, 2021, 5:43pm

The rules need to be edited to use the drop keywod, yes.
I believe suricata-update can do this for you. Have a look at suricata-update - Update — suricata-update 1.2.0 documentation

AndreSeesink · February 5, 2021, 7:41pm

Thanks you. This is indeed what I was looking for. I never imagined that is was in the suricate-update part.

Topic		Replies	Views
Suricata inline IPS on Windows with WinDivert help Help ips , windows	4	1093	September 17, 2021
Unknown rule keyword 'flow.pkts_toclient' Help rules	2	132	February 6, 2024
Rule using http does not matching get request Rules	2	1019	January 18, 2022
Dealing with Spoofed packet Rules community , centos , rules	7	1111	January 27, 2022
Fast.log entry/entries Help ips	3	775	February 17, 2021

Missing 1 piece of the puzzle

Related Topics