Suiricata not drop or reject package


I’m new to suricata, I follow the offical document

Then I ran to some confused problems:

I modify the suricata.yaml, Only load my custom rules:

default-rule-path: /etc/suricata/rules

  - local.rules
drop icmp any any -> any any (msg:"DROP ICMP 8"; itype:8; sid:4294967294; rev:1;)

Then hit it:

suricata -c /etc/suricata/suricata.yaml -i enp0s18 -v

<Notice> - This is Suricata version 6.0.1 RELEASE running in SYSTEM mode
<Info> - CPUs/cores online: 16
<Info> - SSSE3 support not detected, disabling Hyperscan for MPM
<Info> - SSSE3 support not detected, disabling Hyperscan for SPM
<Info> - Found an MTU of 1500 for 'enp0s18'
<Info> - Found an MTU of 1500 for 'enp0s18'
<Info> - fast output device (regular) initialized: fast.log
<Info> - eve-log output device (regular) initialized: eve.json
<Info> - stats output device (regular) initialized: stats.log
<Info> - SSSE3 support not detected, disabling Hyperscan for SPM
<Info> - 1 rule files processed. 1 rules successfully loaded, 0 rules failed
<Info> - Threshold config parsed: 0 rule(s) found
<Info> - 1 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only
<Info> - Going to use 16 thread(s)
<Info> - Using unix socket file '/var/run/suricata-command.socket'
<Notice> - all 16 packet processing threads, 4 management threads initialized, engine started.
<Info> - All AFP capture threads are running.

I try to ping this server, And logs printed as expect tail -f /var/log/suricata/eve.json | jq 'select(.event_type=="alert")

But, At client side, ping get resposed. Which should drop or reject.

As the knowlage I learned with iptables, drop should let the client timeout, so why?

So I’m confused, Am I misunderstanding something important?

I found similar topic but no answer with it


first of all, 6.0.1 is old, please update to the most recent version (6.0.10) as of today.

If you want to drop or reject you need to run in IPS mode instead of IDS mode. The way you currently run it, is passively monitoring the traffic.

Depending on your setup there are two options to look into: 13. Setting up IPS/inline for Linux — Suricata 6.0.0 documentation

So you either need at least two interfaces for the AF_PACKET IPS mode or leverage the netfilter NFQUEUE feature.

I see, Thanks!

I was inatall suricata by debian 11 apt.