i have a problem, i want to use the ips type NIPS. I used the scenario above and I configured iptables: sudo iptables -I FORWARD -j NFQUEUE
as for the rules that I use as follows:
drop tcp any any → any any (msg: “HPING3 DDoS attack”; flags: S; flow: stateless; classstype: attempted-dos; sid: 1000001; rev: 1;)
i attack my webserver with hping3 and loic. in fast.log it detects drop and in eve.json also the status action is blocked when I attack. but my webserver is down (connection time out) and when i stop attacks to my webserver is normal again
it seems that the netfilter is not working, maybe cause I am using a gateway scenario. suricata and my server the same network. suricata captures all realtime logs on the same network. I tried the iptables to drop input configuration like this: #iptables -A Input -s (Attacker IP) -p icmp -j DROP #iptables -A Input -s (Attacker IP) -p tcp -j DROP #iptables –A Input –s (Attacker IP) –p udp –j DROP
but the chain only drops packets pointing to attached suricata, not to the server. suricata is only a bridge between the attacker and the server, not as a gateway. Are there rules drop suitable for this case?
I’ve also tried the input-output chain, but it just gets skipped
If you are using INPUT chain as above, change the policy to FORWARD chain. The INPUT chain is a policy that is handled when accessing the server where iptables is installed.
If you want to detect DDoS for an attack tool like HPING, it is appropriate to set a threshold or similar threshold or use other conditions additionally, such as flowbits.
I have no problem with my rules, cause when i try in host scenario (not the gateway scenario) with the same rule, suricata works well, suricata drop the packet using the rule (i see packet drop in fast.log) and web server work normal
My problem is i see the packet drop in fast.log and action blocked in eve.json, but the web server is down
I still haven’t found solution of the problem, hope in discussion i can fix the problem, thanks.
