Hi
I want to use suricata as IPS. However, SSH to/from suricata servers cannot work well.
For example, SSH connection to suricata server from other server disconnect after a short time.
Furthermore, SSH connection from suricata server to other server connot be established. (Maybe reply of SSH connection to suricata server from other server is droped.)
Suricata works in IPS mode such as following command. (Actually suricata runs by systemctl.)
$ suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid -q 0 -D -vvv
(suricata.yaml is left as default. In addition, I tried to run suricata with no rules.)
And I set a following iptables rule in suricata server for receiving packet by suricata.
$ sudo iptables -I INPUT -j NFQUEUE
$ sudo iptables -vL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
412 49935 NFQUEUE all – any any anywhere anywhere NFQUEUE num 0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Do you know how use SSH to/from suricata server with no disconnection?
I observed these issues in 2 patterns.
[Pattern 1]
Suricata version: 7.0.2 (latest in Ubuntu apt)
OS: Ubuntu 22.04.3 LTS
How I installed suricata: sudo add-apt-repository ppa:oisf/suricata-stable && sudo apt install suricata
[Pattern 2]
Suricata version: 8.0.0-dev (3cb7112aa 2024-01-19)
OS: Ubuntu 22.04.3 LTS
How I installed suricata: git clone source code and build
Thank you.