Hello all, I have a problem
I have a server and suricata on the same network but different devices, then I did a DoS SYN Flood attack on the suricata ip and it was detected, but when I did a DoS SYN Flood attack on the server ip, suricata could not detect the attack on the server.
Thank you for your response and help
Can you add more context to your setup? What version are you using, what config file, what ruleset, how do you start/run Suricata?
Do you run it in IDS or IPS mode? If in IDS mode, did you ensure that the traffic forwarding is working, so that you see the traffic mirrored to the Suricata instance?
Suricata Version 7.0.6, rules Dos SYN Floood,
where can I see that traffic forwarding is working or not?
Thanks
Have you the good network mask ?
What ave you in your log ? Where log is stored ?
I tried attacking the Suricata host and it was successful and the log went to /var/log/suricata/fast.log, but I attacked the server on a different device and Suricata couldn’t detect it and the attack didn’t go to /var/log/suricata/fast.log.
my service file is like that:
[Unit]
Description=Suricata IDS/IPS service
After=network.target
[Service]
ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml -i ens33 --af-packet --engine-analysis
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure
User=suricata
Group=suricata
WorkingDirectory=/usr/suricata
PIDFile=/run/suricata.pid
LimitNOFILE=65536
StandardOutput=file:/var/log/suricata/suricata.log
StandardError=file:/var/log/suricata/suricata_error.log
[Install]
WantedBy=multi-user.target
do you have suricata.log or suricata_error.log ?
Regards
yes, I have suricata.log, but don’t have suricata_error.log
when I add the service file, and I restart suricata, the suricata server cannot ssh and cannot connect to other IP on the same network.
You said the server is another device, do you have any packet forwarding setup like a mirroring from a switch or TAP/PacketBroker?
You can run tcpdump on the Suricata machine and check if you actually see a copy of the traffic that is sent from and to the server machine.
if I use a mikrotik, can you give me the configuration?
I’m not familiar with those in detail, you would have to lookup the mikrotik documentation for that or consult the support there.
After I run this service file, I am disconnected from the local network.
are you on virtual machine, on virtualbox from oracle , or vmware workstation, or esxi from vmware from broadcom ? i have the same problem.
Report the problem on the following sites :
_ https://networkmanager.dev/community/
_ https://launchpad.net/ubuntu
and if there is an update on one of the sites, report the updates to the other site, if you do not do it ,I will do it for you
tell us where you posted the messages on the different sites as soon as it is done.
also report this problem apart from the forum on which we are currently, by creating a new topic
regards
I forgot something! if you are on virtualbox you must join the oracle community site and if you are on vmware, you must join the broadcom vmware community site
https://community.broadcom.com/groups/communities/community-home/digestviewer?communitykey=de920a2c-eec2-4432-a3a9-dd2e1114284f&tab=digestviewer
https://community.broadcom.com/groups/communities/community-home/digestviewer?communitykey=de920a2c-eec2-4432-a3a9-dd2e1114284f&tab=digestviewer