Suricata config problem IPS

Help
1

Hi Com!

I am glad here is a Com for help! I’ve seen there are some other threads with kinda similar Problem but there is no thread which specially got my Setup and Options I’ve already tried, so I hope its okay opening a personalized one for mine.

I would like to set up Suricata as IPS, I tried now several options, configs and YouTube Tutorials but I am not able to get it running. Hopefully you can help me out!

General Infos:

System:

  • Ubuntu Server on an HPE ProLiant DL120 Gen 9
  • 2x 10GB Ethernet Ports specific for IPS
  • 2x Mgmg Ports for acting beside the IPS Ports

Suricata:

  • Version 7.0.7
  • Rules are the current one getting with suricata-update. I would like to get the system running first, then add some specific rules. For basic setup, I researched, these rules are usable

Planned with ufw:

  • Version 0.36.2

Planned Network Setup:

  • The Ubuntu Server got one Interface (ens3f1) from the Server to my Switch on which my internal Network is managed.
  • The Ubuntu Server got another Interface (ens3f0) connected to my Router.
  • There is a DHCP and DNS Server running on the internal network, which is setting some static IPs for my Server running as well as the IPS

I tried until now:

For everything now I’ve temporary disabled ufw.

  1. Setting up the IPS on Layer 2 like on the documentation with both interfaces in the af-packet. I did the exact same basic setup like in the documentation written ofc just with the name of my interfaces. By checking systemctl status suricata, I could see, running in IDS Mode.
  2. Setting up IP Tables NFQUEUE, Activating system Forwarding and try to config Suricata here. iptables were set up with iptables -I FORWARD -i ens3f1 -o ens3f0 -J NFQUEUE --queue-num 0 as well as to the other side. Suricata was started by suricata -c /etc/suricata/suricata.yaml -q 0 nothing happend. NFQ mode in the yaml was accepted, as the options directly below in different combinations (since I’ve seen several options, I tried a few ones), LISTENMODE was set to nfqueue
  3. I set up a bridge between this two interfaces and tried the af-packet config here, nothing brought that software into IPS mode.

To start learning more about how it works I would prefer the simplest setup in my mind by using af-packet. In the Attachment you may have a look at my yaml. If I’ve got the correct information, there is no forwarding or other bridge needed, if I config the af-packet with both interfaces since suricata takes part of the bridging. Also I read about the interfaces dont need an IP so I changed this too (I tried with and without IP). The LISTENMODE is configured with af-packet, nothing else changed in the default config for Suricata.
I am not sure whether it is a problem that my router gets his static IP from the DHCP or not.

I just need to know if you need any other configs or informations, will post them soon.

Greetings
suricata.yaml (84.1 KB)

2

Hi there,

thanks for sharing all that info.

Could you please share the output resulting of when you run Suricata, along with the command used?

Sometimes, some of the log messages may help us.

3

Good Morning from Germany!

I am not sure what has changed this morning, something did. Yesterday I was not even able to get through this server accessing the Internet, today morning it is possible and I changed nothing since yesterday. I attached some screens.

I am not sure if it’s working now or not. In my sysctl screen you can see suricata running in IDS. In the fast.log you can see there is a icmp drop. So is it running now in IPS?

Do you need an further logs? Tell me which one, I will act as fast as possible.

Thanks a lot!

fast_suri
fast_suri1540×197 56.3 KB

sysctl_suri
sysctl_suri989×267 35.7 KB

4

Provide the suricata.log file in that case to see the full log.