Suricata 5.0.3 in IPS mode

reyss · March 16, 2021, 6:46am

i have a problem, i want to use the ips type NIPS. I used the scenario above and I configured iptables: sudo iptables -I FORWARD -j NFQUEUE

as for the rules that I use as follows:
drop tcp any any → any any (msg: “HPING3 DDoS attack”; flags: S; flow: stateless; classstype: attempted-dos; sid: 1000001; rev: 1;)

i attack my webserver with hping3 and loic. in fast.log it detects drop and in eve.json also the status action is blocked when I attack. but my webserver is down (connection time out) and when i stop attacks to my webserver is normal again

what should i do about it

Andreas_Herz · September 2, 2020, 8:48pm

Its’ because this rule drops every packet where the SYN flag is set (so more or less every SYN packet)

reyss · September 2, 2020, 10:01pm

So what rule is suitable in this case? remove the flag?
and is my iptables configuration suitable for that scenario?

Andreas_Herz · September 3, 2020, 7:45pm

No, you want to make the rule more precise to be a true positive and not a false positive. You want to detect hping but don’t block legit traffic.

Besides that I would argue that DDoS protection is better done at netfilter level or even before.

Since the traffic is blocked this iptalbes part looks fine but also depends on your whole chain.

reyss · September 3, 2020, 8:29pm

it seems that the netfilter is not working, maybe cause I am using a gateway scenario. suricata and my server the same network. suricata captures all realtime logs on the same network. I tried the iptables to drop input configuration like this:
#iptables -A Input -s (Attacker IP) -p icmp -j DROP
#iptables -A Input -s (Attacker IP) -p tcp -j DROP
#iptables –A Input –s (Attacker IP) –p udp –j DROP

but the chain only drops packets pointing to attached suricata, not to the server. suricata is only a bridge between the attacker and the server, not as a gateway. Are there rules drop suitable for this case?
I’ve also tried the input-output chain, but it just gets skipped

i want to try NIPS

Hari_Achmad_Aulia · March 14, 2021, 8:06pm

I have same problem as you, so you have resolved the problem right now?

Please tell me what sould i do to fix this problem, thanks.

Jungho · March 15, 2021, 9:20am

If you are using INPUT chain as above, change the policy to FORWARD chain. The INPUT chain is a policy that is handled when accessing the server where iptables is installed.

If you want to detect DDoS for an attack tool like HPING, it is appropriate to set a threshold or similar threshold or use other conditions additionally, such as flowbits.

Hari_Achmad_Aulia · March 15, 2021, 9:41am

Im use forward chain, but my web server still down after suricata drop the packet using rules

But when i try in the system was installed suricata, the packet drop by suricata using rule and web server is normal

I need to fix the problem, if you are have a solution, please tell me to fix it, thanks

Jungho · March 15, 2021, 9:56am

Which rule was used?
Is there any problem when the rules are not applied?

Hari_Achmad_Aulia · March 15, 2021, 7:27pm

I have no problem with my rules, cause when i try in host scenario (not the gateway scenario) with the same rule, suricata works well, suricata drop the packet using the rule (i see packet drop in fast.log) and web server work normal

My problem is i see the packet drop in fast.log and action blocked in eve.json, but the web server is down

I still haven’t found solution of the problem, hope in discussion i can fix the problem, thanks.