[SOLVED] Process migrating from IDS to IPS

Kornelius777 · August 6, 2023, 7:44am

Dear all,

on my nginx server, I installed suricata.
It works fine - as long as I use it as a IDS.

Now, I try to understand the migration process IDS → IPS

First, I tried the iptables way:

#!/bin/bash
iptables -I FORWARD -j NFQUEUE

Of course, I started suricata using “-q 0”
However, no more detections! suricata stays silent.

In my /etc/suricata/suricata.yaml, I use:
mode accept
fail-open yes

Then, I tried the nftables way:

#!/usr/sbin/nft -f

#
# chain declaration
#
add chain filter IPS { type filter hook forward priority 10;}

#
# rule declaration
#
add rule filter IPS queue

Yet again, suricata stays silent.

In IDS mode, it works as requested.
In IPS mode, it just stays silent.

Anyone able to give me a helping hand?
Which part didn’t I understand correctly?

Kind regards,

Kornelius777 · August 6, 2023, 12:31pm

Looks like when I use

iptables -I INPUT -j NFQUEUE
iptables -I OUTPUT -j NFQUEUE

instead of

iptables -I FORWARD -j NFQUEUE

suricata works as expected.

Topic		Replies	Views
IPTables and IPS Mode Help ips	3	594	February 22, 2023
Using iptables for an IDS system Help	2	455	April 27, 2021
Suricata as IDS and IPS on transpararent mode Help	1	517	February 27, 2023
Config Question: Suricata as an IDS + source IP Blocking on VPS w/1 network interface Help	9	1814	February 14, 2022
Iptables + NFQUEUE Help ips , community	8	3056	June 12, 2021

[SOLVED] Process migrating from IDS to IPS

Related Topics