Hello there !
I would like to understand my results, i configured Suricata as IPS with NFQUEUE, all ICMP packets are dropped (or rejected, as I want). I tried with other protocols as SSH or HTTP and it seems not working.
ICMP logs are correct but HTTP or SSH aren’t, i can’t find them so i guess they were accepted.
I’m working on Ubuntu 22.04 with Suricata 6.0.10,
I made a bridge from 2 NIC and listening on br0, bridge is OK and i listen with NFQUEUE so i don’t think the bridge is a part of this problem.
At now, i run Suricata manually : sudo iptables -A INPUT -j NFQUEUE --queue-num 0 && sudo iptables -A OUTPUT -j NFQUEUE --queue-num 0 && sudo suricata -c /etc/suricata/suricata.yaml -q 0
And like that all my ICMP results are good when i reject, alert or drop them.
Http and ssh in alert mode are ok (log alert generated) but not in reject or drop mode (nothing generated and traffic still passes through)
Here are my alerts : (i modify them before launching test like uncomment or changing action / IP / Port)
#reject icmp any any → any any ( msg:“Ping rejeté”; sid:1; )
#drop icmp any any → any any ( msg:“Ping Droppé”; sid:2; )
#alert icmp any any → any any ( msg:“Ping loggué”; sid:3; )
#reject http any any → any any ( msg:“PageWeb rejetée”; sid:4; )
#drop http any any → any any ( msg:“PageWeb Droppée”; sid:5; )
alert http any any → any any ( msg:“PageWeb logguée”; sid:6; )
Does anyone knows why I have theses results ?
Thanks a lot and have a nice day !