Hello there I have configured suricata as IPS and trying to block hping3 from another kali system and in the logs it showing as blocked but the attack seems to still be doing its job.
Hi,
without more details it’s hard to tell. Please post Suricata version, config, runcommand etc.
I’m running the latest version
it is already configured with nfque, to run I just use the start command.
and in the logs, it does say blocked I have also tried reject but doesn’t seem to stop the attack.
But in your experience should it actually be stopping the attack completely?
To test it I am just running a basic apache web page and checking with the load times of the site.
Latest stable or 7.0 beta?
How does your suricata.yaml look like, the netfilter ules and the start command would still be helpful, you can check it with ps output. In addition to that how does the rule look like that you think should stop the traffic.
Depending on all those variables it could be possible to block it.
Hello, I am actually using Suricata 6.0.8.
suricata.yaml (73.1 KB)
This what I use to restart suricata because it is allready started on boot : sudo systemctl restart suricata.service.
This is all running on a ubunut desktop virtual machine by the way.
Firewalld is the firewall and these were the rules:
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 22 -j NFQUEUE --queue-bypass
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -j NFQUEUE
firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 0 -p tcp --dport 22 -j NFQUEUE --queue-bypass
firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 1 -j NFQUEUE
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -j NFQUEUE
firewall-cmd --permanent --direct --add-rule ipv6 filter FORWARD 0 -j NFQUEUE
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -p tcp --sport 22 -j NFQUEUE --queue-bypass
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -j NFQUEUE
firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 0 -p tcp --sport 22 -j NFQUEUE --queue-bypass
firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 1 -j NFQUEUE
As for the suricata rules : I have tried a number of rules such as:
drop tcp any any -> any any (msg: “HPING3 DDoS attack”; flags: S; flow: stateless; classtype:attempted-dos; sid:1000001; rev:1;)
drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL DOS SYN packet flood inbound, Potential DOS"; flow:to_server; flags: S,12; threshold: type both, track by_dst, count 5000, seconds 5; classtype:misc-activity; sid:5;)
drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"LOCAL DOS SYN packet flood outbound, Potential DOS"; flow:to_server; flags: S,12; threshold: type both, track by_dst, count 5000, seconds 5; classtype:misc-activity; sid:6;)
I have also tried directly blocking the kali linux machine’s IP address as well.
drop ip 1.2.3.4 any -> any any (msg:"1.2.3.4 dropped"; sid:1;)
How do I go on about ps output?
You said the log said it’s blocked, can you post the log outputs?