I have a problem with ips mode when i try to demo TCP SYN flood attack by hping3
When i use command:
hping3 -S -P 192.168.159.8 -i u1000.
That’s Suricata’s log
Rule i used: drop tcp any any → any any (msg: “TCP detection”; sid:1000001; rev:1;)
What wrong
Tks a lot
Hi ngoc, welcome to the community.
I tried to simulate your test environment, however I adapted your test rule with extra options as below:
drop tcp any any -> any any (msg: "TCP Flood"; threshold: type both, track by_dst, count 200, seconds 1; sid:1000001; rev:1;)
My results:
You could provide more details of your OS and how you’re sending traffic to suricata.
I set up Suricata on Centos7 following 13. Setting up IPS/inline for Linux — Suricata 6.0.2 documentation with iptables and NFQ
That iptables’ rule (default):
When I run suricata as IDS it still shows the normal log.
so I think there is something wrong with the transport of packets from iptables to Suricata. But I don’t know why.
I may be wrong, I’m not a linux guy (my set up is FreeBSD), however based on your first message, you’re trying to flood the IPS host, not a network behind it (I guess). Try to send traffic to suricata via INPUT/OUTPUT chain as the documentation shows.
sudo iptables -I INPUT -j NFQUEUE
sudo iptables -I OUTPUT -j NFQUEUE
Do you run the hping on the same machine as you run suricata? you could add iptables -j LOG target before the NFQUEUE jump to ensure the packets are seen for debugging.