Suricata 5.0.3 in IPS mode for DoS

I have a problem with ips mode, the stats record (tail -f eve.json | jq -c ‘select (.stats) | .stats.ips’) is blocked, and action ‘drop’ is detected in fast.log. I use the drop action to drop the packet … but after I see the network traffic with wireshark, hping3 remains come and the bandwidth remains high



SYN flood detected


network traffic with wireshark when i test hping3

I use NFQueue
and iptables : sudo iptables -I INPUT -p tcp -j NFQUEUE
sudo iptables -I OUTPUT -p tcp -j NFQUEUE

my rules: drop tcp any any -> any any (msg: “HPING3 DDoS attack”; flags: S; flow: stateless; classtype:attempted-dos; threshold: type both, track by_dst, count 200, seconds 1; sid:1000001; rev:1;)

is there something wrong?

actually i want use IPS in mode NIPS

You could try to remove the threshold from the rule.

How does your suricata.yaml look like?

suricata.yaml:
suricata.yaml (69.9 KB)

how to to remove the threshold from the rule?

drop tcp any any -> any any (msg: “HPING3 DDoS attack”; flags: S; flow: stateless; classtype:attempted-dos;  sid:1000001; rev:1;)

i get an error when starting suricata:

30/8/2020 – 03:57:49 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - invalid formatting to msg keyword: value must be double quoted ‘msg’
30/8/2020 – 03:57:49 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature “drop tcp any any -> any any (msg: “HPING3 DDoS attack”; flags: S; flow: stateless; classtype:attempted-dos; sid:1000001; rev:1;)” from file /var/lib/suricata/rules/hping.rules at line 1

syntanx: sudo suricata -c /etc/suricata/suricata.yaml -q 0

That’s mostly likely a copy paste error from the forum to the rule file with the quotes, you need to change that manually in that case.

the result is the same as above, network traffic at Wireshark remains high

is something wrong in my suricata.yaml or in the iptables configuration?

Please describe your setup a bit more in detail. From where do you start the hping to which target? Is it correctly forwared to the NFQUEUE? Where do you capture?

image

i test hping3 to suricata IPS on Ubuntu
configuration at my iptables on suricata:

sudo iptables -I FORWARD -j NFQUEUE
sudo iptables -I INPUT -p tcp  -j NFQUEUE
sudo iptables -I OUTPUT -p tcp -j NFQUEUE

i capture network traffic with wireshark at suricata IPS on Ubuntu

How do you run wireshark? If you capture on the interface it’s quite clear why you still see it, because that’s before it hits the netfilter queue.

So what should I do about this?

is it true, if the blocked action at log eve.json is totally block the packet?

I guess you translated my quote so just assuming you’re referring to my last one.

If the packet is logged as dropped it won’t be accepted and the verdict is set. That’s after it passed the iptables chains and ends up in Suricata where it’s eitehr accepted or dropped (compared to iptables rules).