Suricata in docker doesn't block packets

,
1

Hello, team.
I use dockerized Suricata 6.0.13 (jasonish/suricata:latest) and it doesn’t block traffic.
Steps to reproduce.

  1. Command to run container looks like:
docker run --name=suricata --rm -it --name=suricata --net=host \
    --cap-add=net_admin --cap-add=net_raw --cap-add=sys_nice \
    -v /opt/suricata/logs:/var/log/suricata \
    -v /opt/suricata/lib:/var/lib/suricata \
    -v /opt/suricata/etc:/etc/suricata \
    jasonish/suricata:latest -i eth0
  1. Updating rules:
docker exec -it --user suricata suricata suricata-update -f
  1. Modifying the rule 2100498 to drop packets:
drop ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
  1. Reloading rules:
docker exec -it --user suricata suricata suricatasc -c reload-rules
  1. Testing Invalid traffic:
curl --max-time 5 http://testmynids.org/uid/index.html

(no error recieved)

  1. In fast.log I see ‘wDrop’ record:
07/12/2023-12:25:38.959068  [**] [1:2013028:7] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.88.122:44172 -> 52.XX.XX.69:80
07/12/2023-12:25:39.012621  [wDrop] [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 52.XX.XX.69:80 -> 192.168.88.1
22:44172

but packets was not blocked.

Please help me, what I do wrong?

2

Looks like suricata is running in IDS mode, not in IPS mode. So no blocking occurs.

See:
https://docs.suricata.io/en/latest/setting-up-ipsinline-for-linux.html

3

@vjulien Thanks for your opinion. Are you familiar with this product jasonish/suricata? I’m not sure it has a choice of operating mode.

@ish Maybe you can help?

4

First of all, which type of IPS mode do you plan to use?
You can also pass dedicated run commands and should also build your suricata.yaml accordingly.