I tested out my configuration with Pings and I do get the appropriate response back when I turn on suricata with the below set up. However I get an issue when I run a python script to OVER ICMP ends up making it to the other ipaddr. See below for set up:
Suricata.yaml
nfq:
mode: accept
Rule:
drop icmp any any -> any any ( msg:"ICMP:Packet dropped"; sid:100007;rev:1; )
iptables (Tried with a queue num 1 on INPUT as well)
sudo iptables -I INPUT -j NFQUEUE
sudo iptables -I OUTPUT -j NFQUEUE
Suricata Command
sudo suricata -c /etc/suricata/suricata.yaml -q 0
Message in Fast.log
07/04/2021-16:20:10.065700 [Drop] [**] [1:100007:1] ICMP:Packet dropped [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.56.101:0 -> 192.168.56.105:0
The log suggests that the python script successful send the ICMP packets to 192.168.56.101 and it is dropped on the response back to 192.168.56.105
With queue numbers:
07/04/2021-17:17:05.050987 [Drop] [**] [1:100007:1] ICMP:Packet dropped [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.56.105:8 -> 192.168.56.101:0
How do I get it the ICMP packet stopped before it sends to the other VM?
