Suricata in IPS Mode

Hi all,

I am using Suricata as IDS mode until now. Emerging threats are enabled and alert is generated from those emerging threat rules. These alerts are notified in the email using Wazuh(ELK Stack). Here is one sample:

Wazuh Notification.
2020 Nov 11 13:50:49

Received From: (lakhamari) 10.10.80.43->/var/log/suricata/fast-2020-11-11.log
Rule: 300011 fired (level 10) -> “Suricata level 1 alert”
Src IP: 42.239.249.187
Dst IP: x.x.x.x:80
Portion of the log(s):

11/11/2020-13:51:29.243156 [] [1:2019309:4] ET WEB_SERVER WGET Command Specifying Output in HTTP Headers [] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 42.239.249.187:49174 -> x.x.x.x:80*

Now, I would like to drop those IPs which are trying to access my system, meaning I would like to use Suricata as IPS and block those IP’s which are threats.
So, I read the docs and find out that I need to setup Suricata in IPS/inline mode which requires additional configuration:

  1. Iptables has to forward packets to NFQUEUE and mark them (optionally).
  2. Suricata has to listen to NFQUEUE in the correct mode.

Is that all I have to do? Or those emerging threats rules need to be tweaked? Do I need to change those alert rules from emerging threats to drop?
Until now, those emerging threat rules are just alerting me via email with the help of ELK Stack and Wazuh.

Please help me out. This is what I am doing on my production server.

Yes you need to change the rules. I believe all Emerging Threats rules start with alert so they will never drop traffic. You need to change the rules to start with drop instead if you want matching traffic to be dropped.

I believe suricata-update can be used to convert the rules, have a look at https://suricata-update.readthedocs.io/en/latest/update.html?highlight=drop#example-configuration-to-convert-rules-to-drop-drop-conf

1 Like

Thanks for your response @syoc
Great, I will check the doc and will try to change the rules.

One more question,
What about dropping the traffic, will it drop those threats after modifying those rules without using Suricata in IPS/inline mode?

Or first, we need to configure Suricata in IPS/inline mode and then convert those ET alerts to drop?

You’ll have to be running Suricata in inline IPS mode for threats to actually be dropped.

I’m not much of an IPS user myself, but I usually recommend getting Suricata up and running in inline mode before attempting any drop rules. When its logging and alerting as expected, then experiment with converting rules to drop.

1 Like

Thanks @ish
That is all I need to know.