Suricata 6.0.0 IPS-mode inline

I have a problem with ips mode when i try to demo TCP SYN flood attack by hping3
When i use command:
hping3 -S -P -i u1000.
That’s Suricata’s log

But when I add option --rand-source:
hping3 -S -P -i u1000 --rand-source
Nothing happen. The packet wasn’t even sent to suricata.

Rule i used: drop tcp any any → any any (msg: “TCP detection”; sid:1000001; rev:1;)
What wrong
Tks a lot

Hi ngoc, welcome to the community.

I tried to simulate your test environment, however I adapted your test rule with extra options as below:

drop tcp any any -> any any (msg: "TCP Flood"; threshold: type both, track by_dst, count 200, seconds 1; sid:1000001; rev:1;)

My results:

You could provide more details of your OS and how you’re sending traffic to suricata.

I set up Suricata on Centos7 following 13. Setting up IPS/inline for Linux — Suricata 6.0.2 documentation with iptables and NFQ
That iptables’ rule (default):

When I run suricata as IDS it still shows the normal log.
so I think there is something wrong with the transport of packets from iptables to Suricata. But I don’t know why.

I may be wrong, I’m not a linux guy (my set up is FreeBSD), however based on your first message, you’re trying to flood the IPS host, not a network behind it (I guess). Try to send traffic to suricata via INPUT/OUTPUT chain as the documentation shows.

sudo iptables -I INPUT -j NFQUEUE
sudo iptables -I OUTPUT -j NFQUEUE

Do you run the hping on the same machine as you run suricata? you could add iptables -j LOG target before the NFQUEUE jump to ensure the packets are seen for debugging.