Hi, im new here, if im doing something wrong pls let me know;
I’ve succesfully setup Suricata as IPS with AF-PACKET in this way:
Internet <-> router <-> suricata <-> swicth to my lan
everything work and suricata detect any “attack” in fast.log but is not actually blocking it, it is only showed as alarm but not blocked, why?
Hi, can you show an example of a rule that triggered and you thing should have dropped the traffic?
Thia one for example is the result of a test attack i did
09/26/2021-15:31:09.716478 [] [1:2400001:3022] ET DROP Spamhaus DROP Listed Traffic Inbound group 2 [] [Classification: Misc Attack] [Priority: 2] {TCP} 42.169.49.121:55226 → 192.168.1.250:0
09/26/2021-15:31:09.728897 [] [1:2400013:3022] ET DROP Spamhaus DROP Listed Traffic Inbound group 14 [] [Classification: Misc Attack] [Priority: 2] {TCP} 143.49.59.206:55370 → 192.168.1.250:0
Suricata pop this alert in fast.log but do nothing to stop the attack
Did you set the action (drop) on the signature?
Yes,i used suricata-update with modify.conf to change from alert to drop and verified by myself in suricata.rules, in fact many attacks are blocked but this hping3 flood still can get throught suricata and hit my “victim” device
Can you share version and configuration file of Suricata?
Is this hping3 flood exactly shown in the fast.log?
sorry for late reply, it was my misconfiguration.
I have encountered a similar problem. Can you tell me where did you configure it wrong?