Please include the following information with your help request:
- Suricata version: Suricata 8.0.0
- Operating system: Windows 11
- How you installed Suricata: from package
Hi everyone.
Recently i tried to enable IPS mode using Windevert following this guide:
I run suricata like this:
suricata.exe -c suricata.yaml --windivert "true"
It does capture packets, alerts are working, however when i observe logs i see that:
- Packets that should be dropped are marked as
wDropin fast.log - In eve.json they are marked as
"event_type":"alert"with"action":"allowed" - It doesn’t drop packets.
i still get server banner from my test http server while making curl requests to it from external network.
I’m using following rule to drop packets:
drop http any any -> $HOME_NET any (msg:"Alarm detected"; content:"Alarm"; nocase; classtype:policy-violation; sid:1; rev:1;)
And while curl http://{external_ip}/?q=alarm generates alarm i still get http body from server.
I also checked and made sure that i have enabled drop in suricata.yaml:
- drop:
alerts: yes # log alerts that caused drops
Additionally for some reason timestamp is off by about 30 minutes when i use Windivert, which isn’t the case when i use PCAP interface.