Suricata inline IPS on Windows with WinDivert help

stealthtech1 · September 7, 2021, 2:27pm

Hi there

After 2 days of brain strain I thought I finally got Suricata with Windivert running on a Windows Server.

In EveBox though, I’m seeing DROP rules are showing action as ALLOWED although it is as a drop rule.

Changed IP’s for demonstration purposes.
HOME_NET=1.0.0.0

The rule:

drop ip [2.0.0.0/24] any -> any any (msg:"ET DROP Dshield Block Listed Source group 1"; reference:url,feeds.dshield.org/block.txt; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DshieldIP; sid:2402000; rev:6025; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Major, created_at 2010_12_30, updated_at 2021_09_06;)

The JSON output when triggered:

{
  "_id": 88590,
  "_source": {
    "alert": {
      "action": "allowed",
      "category": "Misc Attack",
      "gid": 1,
      "metadata": {
        "affected_product": [
          "Any"
        ],
        "attack_target": [
          "Any"
        ],
        "created_at": [
          "2010_12_30"
        ],
        "deployment": [
          "Perimeter"
        ],
        "signature_severity": [
          "Major"
        ],
        "tag": [
          "Dshield"
        ],
        "updated_at": [
          "2021_09_06"
        ]
      },
      "rev": 6025,
      "severity": 2,
      "signature": "ET DROP Dshield Block Listed Source group 1",
      "signature_id": 2402000
    },
    "dest_ip": "1.0.0.0",
    "dest_port": 33911,
    "evebox": {
      "filename": "C:\\Program Files\\Suricata\\log\\eve.json"
    },
    "event_type": "alert",
    "flow": {
      "bytes_toclient": 0,
      "bytes_toserver": 40,
      "pkts_toclient": 0,
      "pkts_toserver": 1,
      "start": "2021-09-07T13:51:44.037483+0000"
    },
    "flow_id": 399008609636971,
    "metadata": {
      "flowbits": [
        "ET.Evil",
        "ET.DshieldIP"
      ]
    },
    "proto": "TCP",
    "src_ip": "2.0.0.0",
    "src_port": 50460,
    "tags": [],
    "timestamp": "2021-09-07T13:51:44.037483+0000"
  }
}

Starting Suricata with this command:

"C:\Program Files\Suricata\suricata.exe" -c "C:\Program Files\Suricata\suricata.yaml" --windivert true

suricatalfon · September 9, 2021, 5:10am

Hi,

Try this command line and this rule

suricata -c suricata.yaml -vv --windivert tcp -knone -l ./log

Rules drop example:

drop tcp any any -> any any (msg: "Google"; content: "google"; classtype: misc-activity; sid: 393981460; rev: 1;)
drop ip [192.168.1.225,192.168.1.239,192.168.1.252] any -> any any (msg:"Sitio Bloqueado "; threshold: type limit, track by_src, seconds 3600, count 1; classtype: misc-activity; sid: 393981461; rev: 1;)

stealthtech1 · September 16, 2021, 6:32am

Hi there
Evebox still shows action as “allowed” in the JSON output although the drop is being enforced by windivert

suricatalfon · September 16, 2021, 10:00am

Hí,

In suricata.yaml ?

- drop:
     alerts: yes      # log alerts that caused drops

stealthtech1 · September 17, 2021, 9:50am

Hi,

Thank you for your help, much appreciated.

I checked and that was hashed out. I unhashed it now and restarted Suricata.

But i’m still not seeing any drop events in the log though… Just an “alert” with “action:allowed”…

Topic		Replies	Views
Missing 1 piece of the puzzle Help ips	2	1475	February 5, 2021
Fast.log entry/entries Help ips	3	777	February 17, 2021
Suricata on AWS network firewall Help ips , suricata	0	717	September 24, 2022
Unknown rule keyword 'flow.pkts_toclient' Help rules	2	134	February 6, 2024
How to block all traffic which matches BitTorrent-DHT? Help	7	694	February 20, 2024

Suricata inline IPS on Windows with WinDivert help

Related Topics