My problem with IPS mode

Suricata-IDS in IDS mode could block Hping3 flood attacks, but in IPS mode can’t why?

# hping3 -S -p 22 --flood --rand-source "IP"

Any options must be enable?

Thank you.

IDS mode can’t block, only IPS can in general if it matches a rule. Without the exact setup details it’s hard to tell.

Rule is:

alert ip any any -> any any (msg:"SURICATA Applayer Mismatch protocol both directions"; flow:established; app-layer-event:applayer_mismatch_protocol_both_directions; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:2260000; rev:1;)

You need to convert the alert action to drop but that rule is not the correct one for that attack it’s just for anomaly.

If you want to write a rule for block the flood attack then how you can write it?

You would try to recreate the attack with a pcap and dig into it to find the proper usage of keywords to match exactly that type of traffic and reduce the false positive rate. The supported keywords can be found at and is also explained in rule writing courses.

1 Like