OS: Ubuntu 18.04
I don’t know what to do anymore. I’ve tried everything I could find online.
19/8/2020 -- 19:46:01 - <Notice> - This is Suricata version 5.0.3 RELEASE running in SYSTEM mode
19/8/2020 -- 19:46:07 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern test-ddos.rules
19/8/2020 -- 19:46:08 - <Warning> - [ERRCODE: SC_WARN_POOR_RULE(276)] - rule 1000001: SYN-only to port(s) 80:80 w/o direction specified, disabling for toclient directionIs this a rule that you created? Can you please paste it here?
alert tcp any any -> $HOME_NET 80 (msg: "Possible DDoS attack"; flags: S; flow: stateless; threshold: type both, track by_dst, count 200, seconds 1; sid:1000001; rev:1;)
So nothing is really wrong, its just giving you a warning that that its only going to apply the rule in one direction. This is probably due to $HOME_NET being any. If you set it to something other than any, the rule won’t warn you anymore as it will know the direction.
when i test the rule
hping3 -S -p 80 --flood --rand-source <IP Address>
and check tail -f /var/log/suricata/fast.log
I get nothing.
It should look like this
02/05/2019-21:05:20.572970 [**] [1:1000001:1] Possible DDoS attack [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.43.149:49876 -> 192.168.43.220:80
I have no idea why it isn’t working.
Can you paste your HOME_NET variable?
Do other rules work, maybe even simpler ones?