Suricata in docker doesn't block packets

Hello, team.
I use dockerized Suricata 6.0.13 (jasonish/suricata:latest) and it doesn’t block traffic.
Steps to reproduce.

  1. Command to run container looks like:
docker run --name=suricata --rm -it --name=suricata --net=host \
    --cap-add=net_admin --cap-add=net_raw --cap-add=sys_nice \
    -v /opt/suricata/logs:/var/log/suricata \
    -v /opt/suricata/lib:/var/lib/suricata \
    -v /opt/suricata/etc:/etc/suricata \
    jasonish/suricata:latest -i eth0
  1. Updating rules:
docker exec -it --user suricata suricata suricata-update -f
  1. Modifying the rule 2100498 to drop packets:
drop ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
  1. Reloading rules:
docker exec -it --user suricata suricata suricatasc -c reload-rules
  1. Testing Invalid traffic:
curl --max-time 5

(no error recieved)

  1. In fast.log I see ‘wDrop’ record:
07/12/2023-12:25:38.959068  [**] [1:2013028:7] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} -> 52.XX.XX.69:80
07/12/2023-12:25:39.012621  [wDrop] [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 52.XX.XX.69:80 ->

but packets was not blocked.

Please help me, what I do wrong?

Looks like suricata is running in IDS mode, not in IPS mode. So no blocking occurs.


@vjulien Thanks for your opinion. Are you familiar with this product jasonish/suricata? I’m not sure it has a choice of operating mode.

@ish Maybe you can help?

First of all, which type of IPS mode do you plan to use?
You can also pass dedicated run commands and should also build your suricata.yaml accordingly.