Suricata 5.0.3 in IPS mode

image

i have a problem, i want to use the ips type NIPS. I used the scenario above and I configured iptables: sudo iptables -I FORWARD -j NFQUEUE

as for the rules that I use as follows:
drop tcp any any -> any any (msg: “HPING3 DDoS attack”; flags: S; flow: stateless; classstype: attempted-dos; sid: 1000001; rev: 1;)

i attack my webserver with hping3 and loic. in fast.log it detects drop and in eve.json also the status action is blocked when I attack. but my webserver is down (connection time out) and when i stop attacks to my webserver is normal again

what should i do about it

Its’ because this rule drops every packet where the SYN flag is set (so more or less every SYN packet)

So what rule is suitable in this case? remove the flag?
and is my iptables configuration suitable for that scenario?

No, you want to make the rule more precise to be a true positive and not a false positive. You want to detect hping but don’t block legit traffic.

Besides that I would argue that DDoS protection is better done at netfilter level or even before.

Since the traffic is blocked this iptalbes part looks fine but also depends on your whole chain.

it seems that the netfilter is not working, maybe cause I am using a gateway scenario. suricata and my server the same network. suricata captures all realtime logs on the same network. I tried the iptables to drop input configuration like this:
#iptables -A Input -s (Attacker IP) -p icmp -j DROP
#iptables -A Input -s (Attacker IP) -p tcp -j DROP
#iptables –A Input –s (Attacker IP) –p udp –j DROP

but the chain only drops packets pointing to attached suricata, not to the server. suricata is only a bridge between the attacker and the server, not as a gateway. Are there rules drop suitable for this case?
I’ve also tried the input-output chain, but it just gets skipped

i want to try NIPS