I have successfully set up Suricata in IPS inline mode using AF_Packet (Ubuntu). To test it, I used testmynids.org, and Suricata correctly blocked the response:
root@jasser:/home/jasser# curl --max-time 5 http://testmynids.org/uid/index.html
curl: (28) Operation timed out after 5000 milliseconds with 0 out of 39 bytes received
However, I noticed that Suricata only drops packets but does not block the attacker’s source IP automatically. I want to implement a solution to achieve this.
Scenario: Preventing SSH Brute Force Attacks (password guessing)
I tried using Fail2ban, but it doesn’t seem to work. Here’s my configuration:
Something to note about AF_PACKET IPS is that it is userland bridge. It passively picks up packets on one interface, provided Suricata doesn’t have a drop rule for that packet, it copies it out the other interface. I don’t believe iptables ever has a chance to drop the packet, so you’ll want to look at Suricata solutions.
The documentation covers datasets, where a dataset can be a table of IP addresses that you have blocked. Its better than a rule per IP address you want to block as you won’t need to reload the ruleset each time. You can use the “suricatasc” tool to add and remove addresses at runtime. I don’t have a full example handy though.
I just want a solution that blocks the attacker’s IP address in real time.
So did you mean?:
-Suricata detects suspicious activity using a rule designed to match malicious behavior.
-A script or tool then automatically adds the attacker’s IP to a dataset via suricatasc in real time without requiring a restart.
Yes, that is the approach I would look at. Note that if you do go with a rule per block you still don’t need to restart Suricata, you can just trigger a reload. But its probably not something you would want to do in an automated fashion as its quite intensive compared to dynamically updating a dataset.