I’m new to suricata, I follow the offical document
Then I ran to some confused problems:
I modify the suricata.yaml, Only load my custom rules:
default-rule-path: /etc/suricata/rules rule-files: - local.rules
drop icmp any any -> any any (msg:"DROP ICMP 8"; itype:8; sid:4294967294; rev:1;)
Then hit it:
suricata -c /etc/suricata/suricata.yaml -i enp0s18 -v
<Notice> - This is Suricata version 6.0.1 RELEASE running in SYSTEM mode <Info> - CPUs/cores online: 16 <Info> - SSSE3 support not detected, disabling Hyperscan for MPM <Info> - SSSE3 support not detected, disabling Hyperscan for SPM <Info> - Found an MTU of 1500 for 'enp0s18' <Info> - Found an MTU of 1500 for 'enp0s18' <Info> - fast output device (regular) initialized: fast.log <Info> - eve-log output device (regular) initialized: eve.json <Info> - stats output device (regular) initialized: stats.log <Info> - SSSE3 support not detected, disabling Hyperscan for SPM <Info> - 1 rule files processed. 1 rules successfully loaded, 0 rules failed <Info> - Threshold config parsed: 0 rule(s) found <Info> - 1 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only <Info> - Going to use 16 thread(s) <Info> - Using unix socket file '/var/run/suricata-command.socket' <Notice> - all 16 packet processing threads, 4 management threads initialized, engine started. <Info> - All AFP capture threads are running.
I try to ping this server, And logs printed as expect
tail -f /var/log/suricata/eve.json | jq 'select(.event_type=="alert")
But, At client side, ping get resposed. Which should drop or reject.
As the knowlage I learned with iptables, drop should let the client timeout, so why?
So I’m confused, Am I misunderstanding something important?
I found similar topic but no answer with it