Suricata-IDS and file server or storage

Hack3rcon · September 30, 2023, 7:28am

Hello,
I have enabled IP forwarding and I ran the following iptables rules:

$ Sudo iptables -I FORWARD -i CLIENT -o SERVER -j NFQUEUE
$ sudo iptables -I FORWARD -i SERVER -o CLIENT -j NFQUEUE
$ sudo iptables-save

They have been applied:

# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -i SERVER -o CLIENT -j NFQUEUE --queue-num 0
-A FORWARD -i CLIENT -o SERVER -j NFQUEUE --queue-num 0

Then, I ran the Suricata-IDS:

$ sudo suricata -c /etc/suricata/suricata.yaml -q 0

On the client machine, I ran Nmap and scanned the server. The Suricata-IDS reports are as follows:

# cat /var/log/suricata/suricata.log 
[14665 - Suricata-Main] 2023-09-30 02:58:30 Notice: suricata: This is Suricata version 7.0.0 RELEASE running in SYSTEM mode
[14665 - Suricata-Main] 2023-09-30 02:58:30 Info: cpu: CPUs/cores online: 2
[14665 - Suricata-Main] 2023-09-30 02:58:30 Info: exception-policy: master exception-policy set to: auto
[14665 - Suricata-Main] 2023-09-30 02:58:30 Info: nfq: NFQ running in standard ACCEPT/DROP mode
[14665 - Suricata-Main] 2023-09-30 02:58:30 Info: conf: Running in live mode, activating unix socket
[14665 - Suricata-Main] 2023-09-30 02:58:30 Info: logopenfile: fast output device (regular) initialized: fast.log
[14665 - Suricata-Main] 2023-09-30 02:58:30 Info: logopenfile: eve-log output device (regular) initialized: eve.json
[14665 - Suricata-Main] 2023-09-30 02:58:30 Info: logopenfile: stats output device (regular) initialized: stats.log
[14665 - Suricata-Main] 2023-09-30 02:58:32 Info: detect: 1 rule files processed. 35168 rules successfully loaded, 0 rules failed
[14665 - Suricata-Main] 2023-09-30 02:58:32 Info: threshold-config: Threshold config parsed: 0 rule(s) found
[14665 - Suricata-Main] 2023-09-30 02:58:32 Info: detect: 35171 signatures processed. 1248 are IP-only rules, 5282 are inspecting packet payload, 28429 inspect application layer, 108 are decoder event only
[14666 - RX-NFQ#0] 2023-09-30 02:58:36 Info: nfq: binding this thread 0 to queue '0'
[14666 - RX-NFQ#0] 2023-09-30 02:58:36 Info: nfq: setting queue length to 4096
[14666 - RX-NFQ#0] 2023-09-30 02:58:36 Info: nfq: setting nfnl bufsize to 6144000
[14665 - Suricata-Main] 2023-09-30 02:58:36 Info: unix-manager: unix socket '/var/run/suricata/suricata-command.socket'
[14665 - Suricata-Main] 2023-09-30 02:58:36 Notice: threads: Threads created -> RX: 1 W: 2 TX: 1 FM: 1 FR: 1   Engine started.
[14665 - Suricata-Main] 2023-09-30 03:01:23 Notice: suricata: Signal Received.  Stopping engine.
[14665 - Suricata-Main] 2023-09-30 03:01:24 Info: suricata: time elapsed 168.442s
[14666 - RX-NFQ#0] 2023-09-30 03:01:25 Notice: nfq: (RX-NFQ#0) Treated: Pkts 3140, Bytes 154036, Errors 0
[14666 - RX-NFQ#0] 2023-09-30 03:01:25 Notice: nfq: (RX-NFQ#0) Verdict: Accepted 3119, Dropped 21, Replaced 0
[14665 - Suricata-Main] 2023-09-30 03:01:25 Info: counters: Alerts: 29

And:

# cat /var/log/suricata/fast.log 
09/30/2023-02:59:05.812130  [**] [1:2260000:1] SURICATA Applayer Mismatch protocol both directions [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.1:135 -> 192.168.1.1:1225
09/30/2023-02:59:53.416463  [**] [1:2260000:1] SURICATA Applayer Mismatch protocol both directions [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.1:49155 -> 192.168.1.1:1294
09/30/2023-02:59:53.418573  [**] [1:2260000:1] SURICATA Applayer Mismatch protocol both directions [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.1:49156 -> 192.168.1.1:1295
09/30/2023-02:59:53.419315  [**] [1:2260000:1] SURICATA Applayer Mismatch protocol both directions [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.1:49154 -> 192.168.1.1:1296
09/30/2023-02:59:53.419342  [**] [1:2260000:1] SURICATA Applayer Mismatch protocol both directions [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.1:49157 -> 192.168.1.1:1297
09/30/2023-02:59:58.394434  [**] [1:2260000:1] SURICATA Applayer Mismatch protocol both directions [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.1:49152 -> 192.168.1.1:1299
09/30/2023-02:59:58.441769  [**] [1:2260000:1] SURICATA Applayer Mismatch protocol both directions [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 172.16.1.1:49153 -> 192.168.1.1:1300
09/30/2023-02:59:59.127572  [**] [1:2200025:2] SURICATA ICMPv4 unknown code [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {ICMP} 192.168.1.1:8 -> 172.16.1.1:9
09/30/2023-03:00:02.584047  [**] [1:2225005:1] SURICATA SMB malformed request dialects [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.1.1:1303 -> 172.16.1.1:445
09/30/2023-03:00:03.771320  [**] [1:2225005:1] SURICATA SMB malformed request dialects [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.1.1:1304 -> 172.16.1.1:445
09/30/2023-03:00:06.146267  [**] [1:2225005:1] SURICATA SMB malformed request dialects [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.1.1:1306 -> 172.16.1.1:445
09/30/2023-03:00:07.833342  [**] [1:2225005:1] SURICATA SMB malformed request dialects [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.1.1:1307 -> 172.16.1.1:445
09/30/2023-03:00:09.521142  [**] [1:2225005:1] SURICATA SMB malformed request dialects [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.1.1:1308 -> 172.16.1.1:445
09/30/2023-03:00:11.208586  [**] [1:2225005:1] SURICATA SMB malformed request dialects [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.1.1:1309 -> 172.16.1.1:445
09/30/2023-03:00:12.896441  [**] [1:2225005:1] SURICATA SMB malformed request dialects [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.1.1:1310 -> 172.16.1.1:445
09/30/2023-03:00:14.583292  [**] [1:2225005:1] SURICATA SMB malformed request dialects [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.1.1:1311 -> 172.16.1.1:445
09/30/2023-03:00:16.271123  [**] [1:2225005:1] SURICATA SMB malformed request dialects [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.1.1:1313 -> 172.16.1.1:445
09/30/2023-03:00:17.958738  [**] [1:2225005:1] SURICATA SMB malformed request dialects [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.1.1:1314 -> 172.16.1.1:445
09/30/2023-03:00:19.647750  [**] [1:2225005:1] SURICATA SMB malformed request dialects [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.1.1:1315 -> 172.16.1.1:445
09/30/2023-03:00:21.333273  [**] [1:2225005:1] SURICATA SMB malformed request dialects [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.1.1:1316 -> 172.16.1.1:445
09/30/2023-03:00:23.023339  [**] [1:2225005:1] SURICATA SMB malformed request dialects [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.1.1:1317 -> 172.16.1.1:445
09/30/2023-03:00:24.708309  [**] [1:2225005:1] SURICATA SMB malformed request dialects [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.1.1:1318 -> 172.16.1.1:445
09/30/2023-03:00:26.395621  [**] [1:2225005:1] SURICATA SMB malformed request dialects [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.1.1:1319 -> 172.16.1.1:445
09/30/2023-03:00:28.083671  [**] [1:2225005:1] SURICATA SMB malformed request dialects [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.1.1:1320 -> 172.16.1.1:445
09/30/2023-03:00:29.770981  [**] [1:2225005:1] SURICATA SMB malformed request dialects [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.1.1:1321 -> 172.16.1.1:445
09/30/2023-03:00:31.333681  [**] [1:2225005:1] SURICATA SMB malformed request dialects [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.1.1:1322 -> 172.16.1.1:445
09/30/2023-03:00:33.021318  [**] [1:2225005:1] SURICATA SMB malformed request dialects [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.1.1:1323 -> 172.16.1.1:445
09/30/2023-03:00:34.708461  [**] [1:2225005:1] SURICATA SMB malformed request dialects [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.1.1:1324 -> 172.16.1.1:445
09/30/2023-03:00:36.270740  [**] [1:2225005:1] SURICATA SMB malformed request dialects [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.1.1:1325 -> 172.16.1.1:445

Nmap has successfully detected the host:

Does suricata-IDS work?

Topic		Replies	Views
Suricata with Nginx Reverse Proxy Help	3	1398	July 12, 2022
The correct location of suricata-IDS Help	15	401	October 8, 2023
Config Question: Suricata as an IDS + source IP Blocking on VPS w/1 network interface Help	9	1853	February 14, 2022
How to setup Surciata-IDS between the Internet and web server? Help	14	2021	April 14, 2021
A few basic questions about Suricata-IDS Help	1	251	December 15, 2023

Suricata-IDS and file server or storage

Related Topics