Raspberry Pi with Suricata in IPS Mode [Help]

Hello guys, I am new to this community, and I hope that you guys can guide me. I am a final year student at my university and currently doing my project which involves Suricata.

My project’s setup is basically a Router that provides an Internet connection to Raspberry Pi through an eth0 port and I set up a wireless interface wlan0 in Raspberry Pi to become an access point for my home devices to connect to. Then I installed Suricata in Raspberry Pi hoping to become NIDPS so that the attack that I am gonna test, Suricata will be able to detect and drop it to protect the network behind Suricata. But it didn’t go well as planned

Suricata is able to drop and detect traffic that goes into Raspberry Pi which in my knowledge it is host-based IDPS but what I want is NIDPS where Suricata acts as a gateway. When I launched my attack, DoS and SQL Injection, Suricata are not able to detect or drop the traffic, the DoS managed to come to the victim connected to the wlan0 to the Raspberry Pi. I used Wireshark to check the traffic. I also use
“sudo tail -f /var/log/suricata/fast.log” to view an alert but nothing comes up.

Do note that my kali linux vm is also connected to the wlan0 of the raspberry pi as same as the victim.

At first, I thought my configuration was wrong so I tried to create a simple rule which is blocking access to Facebook which is below.

Suricata able to drop and detect the traffic when I tried to access facebook from victim pc.

I also tried inline mode, AF-PACKET IPS MODE as shown in the suricata.yaml tho I already commented it out but it is not working either. When using AF-PACKET IPS MODE, Suricata indicated that the traffic is dropped but when I see Wireshark, the traffic still came through. I also test this out with an SQL Injection attack, and it still working, no blocking occurs.

So right now, I am stuck on the problem where Suricata are not able to drop the DoS and SQL Injection attack but able to drop facebook traffic from the rules I had created.

I am sorry for my less knowledge in Suricata as I am only just started to use it but I will try my best in giving all information you need.

Below is the file that you may need.

suricata.yaml (73.3 KB)

How I run suricata:

  1. Automatically as shown in the image
  2. Stop Suricata, and use “sudo suricata -i wlan0” (can see packet but wdrop even tho run in IPS already)
  3. Stop Suricata, and use “sudo suricata -c /etc/suricata/suricata.yaml -q 0” (nothing no detect)
  4. Stop Suricata, and use “sudo suricata -c /etc/suricata/suricata.yaml --af-packet” (i forgot the command but somehow like this)

I hope someone can help me and thank you in advance!!

It looks like the routing setup isn’t correct, as the FORWARD chain in iptables has seen no packets. I would suggest getting routing set up correctly first, only then adding Suricata into the mix.

ah im sorry, that is because I screenshot it when I have not yet conduct the attack, below is aftermatch of an attack

and this is the log after I run it using sudo suricata -c /etc/suricata/suricata.yaml -i wlan0 is the IP of Raspberry Pi (wlan0) is the IP of victim is the IP of attacker

A DoS attack on Raspberry Pi is dropped by Suricata

A DoS attack on Victim is wDrop which is not dropped from my knowledge as Wireshark still show the traffic coming

But Facebook access from Victim is blocked as you can see from one of the customs rules.

The mix of Drop and wDrop looks strange. Can you post the latest suricata.yaml that you’re using and when it’s running the ps auxfww | grep suricata output?