Suricata 5.0.3 in IPS mode

image

i have a problem, i want to use the ips type NIPS. I used the scenario above and I configured iptables: sudo iptables -I FORWARD -j NFQUEUE

as for the rules that I use as follows:
drop tcp any any → any any (msg: “HPING3 DDoS attack”; flags: S; flow: stateless; classstype: attempted-dos; sid: 1000001; rev: 1;)

i attack my webserver with hping3 and loic. in fast.log it detects drop and in eve.json also the status action is blocked when I attack. but my webserver is down (connection time out) and when i stop attacks to my webserver is normal again

what should i do about it

Its’ because this rule drops every packet where the SYN flag is set (so more or less every SYN packet)

So what rule is suitable in this case? remove the flag?
and is my iptables configuration suitable for that scenario?

No, you want to make the rule more precise to be a true positive and not a false positive. You want to detect hping but don’t block legit traffic.

Besides that I would argue that DDoS protection is better done at netfilter level or even before.

Since the traffic is blocked this iptalbes part looks fine but also depends on your whole chain.

it seems that the netfilter is not working, maybe cause I am using a gateway scenario. suricata and my server the same network. suricata captures all realtime logs on the same network. I tried the iptables to drop input configuration like this:
#iptables -A Input -s (Attacker IP) -p icmp -j DROP
#iptables -A Input -s (Attacker IP) -p tcp -j DROP
#iptables –A Input –s (Attacker IP) –p udp –j DROP

but the chain only drops packets pointing to attached suricata, not to the server. suricata is only a bridge between the attacker and the server, not as a gateway. Are there rules drop suitable for this case?
I’ve also tried the input-output chain, but it just gets skipped

i want to try NIPS

I have same problem as you, so you have resolved the problem right now?

Please tell me what sould i do to fix this problem, thanks.

If you are using INPUT chain as above, change the policy to FORWARD chain. The INPUT chain is a policy that is handled when accessing the server where iptables is installed.

If you want to detect DDoS for an attack tool like HPING, it is appropriate to set a threshold or similar threshold or use other conditions additionally, such as flowbits.

Im use forward chain, but my web server still down after suricata drop the packet using rules

But when i try in the system was installed suricata, the packet drop by suricata using rule and web server is normal

I need to fix the problem, if you are have a solution, please tell me to fix it, thanks

Which rule was used?
Is there any problem when the rules are not applied?

I have no problem with my rules, cause when i try in host scenario (not the gateway scenario) with the same rule, suricata works well, suricata drop the packet using the rule (i see packet drop in fast.log) and web server work normal

My problem is i see the packet drop in fast.log and action blocked in eve.json, but the web server is down

I still haven’t found solution of the problem, hope in discussion i can fix the problem, thanks.