Hello!
I’m new to suricata, I follow the offical document
https://suricata.readthedocs.io/en/suricata-6.0.0/quickstart.html
Then I ran to some confused problems:
I modify the suricata.yaml, Only load my custom rules:
default-rule-path: /etc/suricata/rules
rule-files:
- local.rules
drop icmp any any -> any any (msg:"DROP ICMP 8"; itype:8; sid:4294967294; rev:1;)
Then hit it:
suricata -c /etc/suricata/suricata.yaml -i enp0s18 -v
<Notice> - This is Suricata version 6.0.1 RELEASE running in SYSTEM mode
<Info> - CPUs/cores online: 16
<Info> - SSSE3 support not detected, disabling Hyperscan for MPM
<Info> - SSSE3 support not detected, disabling Hyperscan for SPM
<Info> - Found an MTU of 1500 for 'enp0s18'
<Info> - Found an MTU of 1500 for 'enp0s18'
<Info> - fast output device (regular) initialized: fast.log
<Info> - eve-log output device (regular) initialized: eve.json
<Info> - stats output device (regular) initialized: stats.log
<Info> - SSSE3 support not detected, disabling Hyperscan for SPM
<Info> - 1 rule files processed. 1 rules successfully loaded, 0 rules failed
<Info> - Threshold config parsed: 0 rule(s) found
<Info> - 1 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only
<Info> - Going to use 16 thread(s)
<Info> - Using unix socket file '/var/run/suricata-command.socket'
<Notice> - all 16 packet processing threads, 4 management threads initialized, engine started.
<Info> - All AFP capture threads are running.
I try to ping this server, And logs printed as expect tail -f /var/log/suricata/eve.json | jq 'select(.event_type=="alert")
But, At client side, ping get resposed. Which should drop or reject.
As the knowlage I learned with iptables, drop should let the client timeout, so why?
So I’m confused, Am I misunderstanding something important?
I found similar topic but no answer with it https://forum.suricata.io/t/suricata-can-drop-pings-but-no-other-packets/2360