My problem with IPS mode

Hack3rcon · September 18, 2020, 7:16pm

Hello,
Suricata-IDS in IDS mode could block Hping3 flood attacks, but in IPS mode can’t why?

# hping3 -S -p 22 --flood --rand-source "IP"

Why?
Any options must be enable?

Thank you.

Andreas_Herz · September 19, 2020, 8:18pm

IDS mode can’t block, only IPS can in general if it matches a rule. Without the exact setup details it’s hard to tell.

Hack3rcon · September 19, 2020, 10:20pm

Rule is:

alert ip any any -> any any (msg:"SURICATA Applayer Mismatch protocol both directions"; flow:established; app-layer-event:applayer_mismatch_protocol_both_directions; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:2260000; rev:1;)

Andreas_Herz · September 19, 2020, 10:23pm

You need to convert the alert action to drop but that rule is not the correct one for that attack it’s just for anomaly.

Hack3rcon · September 20, 2020, 12:46pm

If you want to write a rule for block the flood attack then how you can write it?

Andreas_Herz · September 20, 2020, 2:25pm

You would try to recreate the attack with a pcap and dig into it to find the proper usage of keywords to match exactly that type of traffic and reduce the false positive rate. The supported keywords can be found at https://suricata.readthedocs.io/en/latest/rules/index.html and is also explained in rule writing courses.

Topic		Replies	Views
Configure Suricata as IPS to prevent host from SYN Flood Help ips	24	8331	March 23, 2021
Wanna my suricata ips limit traffic Help ips	2	707	June 14, 2022
Dealing with Spoofed packet Rules community , centos , rules	7	1107	January 27, 2022
Fast.log entry/entries Help ips	3	773	February 17, 2021
How can I write some rules in IPS not just reset http connections Rules ips , rules , suricata	1	470	February 28, 2022

My problem with IPS mode

Related Topics