Hi all,
I am using Suricata as IDS mode until now. Emerging threats are enabled and alert is generated from those emerging threat rules. These alerts are notified in the email using Wazuh(ELK Stack). Here is one sample:
Wazuh Notification.
2020 Nov 11 13:50:49
Received From: (lakhamari) 10.10.80.43->/var/log/suricata/fast-2020-11-11.log
Rule: 300011 fired (level 10) -> “Suricata level 1 alert”
Src IP: 42.239.249.187
Dst IP: x.x.x.x:80
Portion of the log(s):
11/11/2020-13:51:29.243156 [] [1:2019309:4] ET WEB_SERVER WGET Command Specifying Output in HTTP Headers [] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 42.239.249.187:49174 -> x.x.x.x:80*
Now, I would like to drop those IPs which are trying to access my system, meaning I would like to use Suricata as IPS and block those IP’s which are threats.
So, I read the docs and find out that I need to setup Suricata in IPS/inline mode which requires additional configuration:
- Iptables has to forward packets to NFQUEUE and mark them (optionally).
- Suricata has to listen to NFQUEUE in the correct mode.
Is that all I have to do? Or those emerging threats rules need to be tweaked? Do I need to change those alert rules from emerging threats to drop?
Until now, those emerging threat rules are just alerting me via email with the help of ELK Stack and Wazuh.
Please help me out. This is what I am doing on my production server.