Suricata IPS mode

Amalia_Annisa · July 26, 2024, 4:00pm

Hi everybody
Can anyone help me,
I simulated a Suricata IPS mode implementation on a SDN network, I used nfq for the IPS process, but after setting up iptables on an interface I couldn’t provide background traffic to that interface. is there any solution for this?

Andreas_Herz · July 26, 2024, 4:42pm

Hi,

please provide proper details about your setup, starting with the Suricata version, the suricata.yaml, the run command that you use, the logs and how exactly you did setup the IPS mode. Otherwise it’s hard to help you without more verbose details.

Amalia_Annisa · July 27, 2024, 3:04am

I built the topology using mininet, h1 - h5 = attacker, h4 = victim, h5 = DITG (sends background traffic to h4), suricata 7.0.6

from mininet.net import Mininet
from mininet.node import RemoteController
from mininet.cli import CLI
from mininet.link import TCLink
from mininet.topo import Topo

class MyTopo(Topo):
    def build(self):
        # Add the switch
        s1 = self.addSwitch('s1')
        
        # Add hosts
        h1 = self.addHost('h1')
        h2 = self.addHost('h2')
        h3 = self.addHost('h3')
        h4 = self.addHost('h4')
        h5 = self.addHost('h5')
        h6 = self.addHost('h6')  # Target host with Suricata
        h7 = self.addHost('h7')
        
        # Add links
        self.addLink(s1, h1)
        self.addLink(s1, h2)
        self.addLink(s1, h3)
        self.addLink(s1, h4)
        self.addLink(s1, h5)
        self.addLink(s1, h6)
        self.addLink(s1, h7)

if __name__ == '__main__':
    topo = MyTopo()
    # Configure the Mininet with the specified RemoteController
    net = Mininet(topo=topo, controller=None, link=TCLink)
    # Add Remote Controller with specified IP
    onos_controller = net.addController('c0', controller=RemoteController, ip='192.168.100.6', port=6653)
    net.start()
    CLI(net)
    net.stop()

IPTABLES

sudo iptables -I INPUT -j NFQUEUE
sudo iptables -I OUTPUT -j NFQUEUE

suricata.yaml

nfq:
   mode: accept
   repeat_mark: 1
   repeat_mask: 1
   route_queue: 0

attack using hping3

hping3 -S -d 5000 -flood <h4>

D-ITG

./ITGSend -a <h4> -T UDP -c 1000 -C 1000 -t 10000 -x file.log

rules suricata

drop tcp any any -> any any (msg:"Drop SYN Flood"; sid:123; rev:1;)

run suricata:

sudo suricata -c /etc/suricata/suricata.yaml -q 0 -v

Please help me

Andreas_Herz · July 31, 2024, 9:39pm

As mentioned please provide the suricata.yaml and the suricata.log and stats.log