Suricata 5.0.2 in IPS mode for DoS

Hi everyone.
I am a new Suricata user and now I want to try to block the DoS attack (using LOIC) using these rules:

drop tcp any any -> any 80 (msg:“LOIC”; ttl:128; flow:to_server; flags:PA; threshold:type threshold, track by_dst, count 500, seconds 60; classtype:attempted-dos; sid:1; rev:1; metadata:created_at 2020_04_16, updated_at 2020_04_16;)

Now I still don’t know what else do I need to configure because it still can’t block the attack.
Please help :slightly_smiling_face:
Thank you before.

Hi Nurchaliza, are you getting alerts for this rule?

If you don’t get alerts, do you get alerts for the rule if you remove the threshold condition?

I got the alerts. But it doesn’t stop LOIC.
I mean, maybe there’s any configuration that I have to change on suricata.yaml because the only things I change on suricata.yaml are HOME_NETWORK and rule-files.

Can you explain your setup in more detail? So which version, how do you run it exactly (command line) and add the config as well?

I follow these steps for installation:
https://kifarunix.com/install-and-setup-suricata-on-ubuntu-18-04/

but I installed Suricata 5.0.2 on my system.

And here is my suricata.yaml configuration:

  1. configuration on $HOME_NETWORK :
    suricata.yaml

  2. configuration on rule-files:
    rule-files

And this is the rules configuration

  1. test-ddos.rules (i used this rules for LOIC attack)

drop tcp any any → any 80 (msg:“LOIC”; ttl:128; flow:to_server; flags:PA; threshold:type threshold, track by_dst, count 500, seconds 60; classtype:attempted-dos; sid:1; rev:1; metadata:created_at 2020_04_16, updated_at 2020_04_16;)

  1. hping.rules (and this one is for hping3 attack)

drop tcp any any → any 80 (msg:“HPING3”; ttl:64; flow:to_server; flags:S; threshold:type threshold, track by_dst, count 100, seconds 5, classtype:attempted-dos; sid:2; rev:1; metadata:created_at 2020_04_17, updated_at 2020_04_17;)

last, the log (/var/log/suricata/fast.log)

these are my whole configuration.

The [wDrop] suggests you’re not actually using IPS mode. wDrop here means “would drop” (if running in IPS mode). How are you starting Suricata?

1 Like

I used this comment:

suricata -c /etc/suricata/suricata.yaml -q 0

How to make suricata running in IPS mode? what else do I need to configure? perhaps there is any reference because it’s hard to find the tutorial for it. thanks before

So thank you for your help, everyone.
I already solve this problem by following these steps (of course without changing any rules) :
Setting up IPS/inline for Linux

here is the result on /var/log/suricata/fast.log :

and I used hping3, after you stop hping3 there will be information about how many packets transmitted, received, and packet loss.
here is the result:


100% packet loss :slight_smile:

1 Like

Great that you got it working! Do you know what made it work?

I change the setting on af-packets in suricata.yaml files.
Just like what I said, I follow the instructions on this page : Setting up IPS/inline for Linux

and now it’s working!

1 Like