Hi everyone.
I am a new Suricata user and now I want to try to block the DoS attack (using LOIC) using these rules:
drop tcp any any -> any 80 (msg:“LOIC”; ttl:128; flow:to_server; flags:PA; threshold:type threshold, track by_dst, count 500, seconds 60; classtype:attempted-dos; sid:1; rev:1; metadata:created_at 2020_04_16, updated_at 2020_04_16;)
Now I still don’t know what else do I need to configure because it still can’t block the attack.
Please help
Thank you before.
vjulien
(Victor Julien)
April 17, 2020, 1:35pm
2
Hi Nurchaliza, are you getting alerts for this rule?
If you don’t get alerts, do you get alerts for the rule if you remove the threshold
condition?
I got the alerts. But it doesn’t stop LOIC.
I mean, maybe there’s any configuration that I have to change on suricata.yaml because the only things I change on suricata.yaml are HOME_NETWORK and rule-files.
Can you explain your setup in more detail? So which version, how do you run it exactly (command line) and add the config as well?
I follow these steps for installatio n:
https://kifarunix.com/install-and-setup-suricata-on-ubuntu-18-04/
but I installed Suricata 5.0.2 on my system.
And here is my suricata.yaml configuration:
configuration on $HOME_NETWORK :
configuration on rule-files:
And this is the rules configuration
test-ddos.rules (i used this rules for LOIC attack)
drop tcp any any → any 80 (msg:“LOIC”; ttl:128; flow:to_server; flags:PA; threshold:type threshold, track by_dst, count 500, seconds 60; classtype:attempted-dos; sid:1; rev:1; metadata:created_at 2020_04_16, updated_at 2020_04_16;)
hping.rules (and this one is for hping3 attack)
drop tcp any any → any 80 (msg:“HPING3”; ttl:64; flow:to_server; flags:S; threshold:type threshold, track by_dst, count 100, seconds 5, classtype:attempted-dos; sid:2; rev:1; metadata:created_at 2020_04_17, updated_at 2020_04_17;)
last, the log (/var/log/suricata/fast.log)
these are my whole configuration.
vjulien
(Victor Julien)
April 18, 2020, 11:31am
6
The [wDrop]
suggests you’re not actually using IPS mode. wDrop
here means “would drop” (if running in IPS mode). How are you starting Suricata?
1 Like
I used this comment:
suricata -c /etc/suricata/suricata.yaml -q 0
How to make suricata running in IPS mode? what else do I need to configure? perhaps there is any reference because it’s hard to find the tutorial for it. thanks before
So thank you for your help, everyone.
I already solve this problem by following these steps (of course without changing any rules) :
Setting up IPS/inline for Linux
here is the result on /var/log/suricata/fast.log
:
and I used hping3, after you stop hping3 there will be information about how many packets transmitted, received, and packet loss.
here is the result:
100% packet loss
1 Like
vjulien
(Victor Julien)
April 18, 2020, 5:03pm
9
Great that you got it working! Do you know what made it work?
I change the setting on af-packets
in suricata.yaml files.
Just like what I said, I follow the instructions on this page : Setting up IPS/inline for Linux
and now it’s working!
1 Like