l’ips ne droppe pas les attaques
Hi,
My French is not very good … does this say: My IPS is not dropping attacks? We’ll need a little more information about what you’re observing.
- Problem statement? What are you observing?
- Suricata version
- Additional details – deployment specifics – as needed to help the team help you with the issue you’re seeing.
Thanks,
Yes , that’s it
Suricata 5.0.2
I have create a network :
Suricata on ubuntu : 192.168.17.135
Kali lunix : 192.168.17.128
Client : 192.168.17.134
My problem is when I attack the client with Kali lunix , suricata do not drop the attack but when I attack Ubuntu suricata work
And this is the rule configuration
drop tcp any any -> any 80 (msg:“HPING3”; ttl:64; flow:to_server; flags:S; threshold:type threshold, track by_dst, count 100, seconds 5, classtype:attempted-dos; sid:2; rev:1;)
In IPS mode, all traffic must pass through the system running Suricata.
Can you briefly sketch/describe your network topology?
I have 3 virtual machines using the Nat and I have specify their ip addresses
I’m still not sure of your network topology.
Can each system independently connect to the others? Or, is the Suricata system mediating access … that is, traffic from “client” and “Kali Linux” must pass through the Suricata system before reaching the other?
Each system can connect the other sys independently
This means that Suricata won’t see the packets that “Kali Linux” sends to “client”.
This gives overview information for setting up an IPS on Linux: https://suricata.readthedocs.io/en/suricata-5.0.2/setting-up-ipsinline-for-linux.html?highlight=ips
Yes ; I have just follow this tuto but it doesn’t work and when I use ids it works perfectly
So how can I force the traffic to pass through suricata sys ?
How did you configure IPS mode, did you use the NFQUEUE attempt or the AF_PACKET attempt?
We would need more details about your configuration and how you run it, to help you.
It would be nice if you could translate the title and first post to englisch as well, since most of the users don’t speak french and thus might skip the post.
I used the NFQUEUE and I have follow the steps in the link above
Try to add a -j LOG in front of the NFQUEUE to see if the other traffic is actually passing into the QUEUE.
I did not understand…can you better explain ?
In your ipttables configuration you should add an additional log target which you can observe later on to see if the traffic that you’re missing is actually received.
So for example:
sudo iptables -I FORWARD -j LOG
sudo iptables -I FORWARD -j NFQUEUE
(or NFLOG)
Another option would be to use tcpdump on the interface where you expect the traffic to come in and see if this traffic is seen on the interface, if not you need to work on the traffic forwarding to the ubuntu machine where you run Suricata.
I try the tcpdump and I have seen the traffic expected so I guess that the problem is in my rule
I want to stoop the nmap scan and the ping