Suricata not triggering the logs

shah.amir55 · January 25, 2024, 2:44am

Hi,

To explain the issue, please understand the scenario.
I have two machines:

Ubuntu with Floodlight
Kali Linux with mininet

I am using customized rule to detect the syn flood attack but it is not triggering. The rule is below:
alert tcp any any → $HOME_NET any (msg:“Possible SYN Flood Attack”; flow:stateless; flags:S; threshold: type both, track by_src, count 100, seconds 5; sid:1000001;)

But it is not triggering.

I am using Host h1 as TCP server using this command
iperf -s -p 3010 -i 1

And generating normal normal bandwidth from h2 to h1
iperf -c 10.0.0.1 -p 3010 -t 180

And using h3 to flood the TCP sync attack
hping3 -c 10000 -d 120 -S -w 64 -p 3010 --flood 10.0.0.1

I tested my suricata by using ICMP rule to check if suricata triggering. The other rules are triggering but TCP syn flood attack is not triggering.
alert icmp any any → any any (msg:“ICMP Ping detected”; sid:1000001;)

Can anyone please help and explain why TCP alert tules is not triggering?

jufajardini · January 26, 2024, 2:44pm

Hi Amir,

not sure if this points towards the solution or not, but let’s try:
What version of Suricata are you running?
Are you running in IPS, or IDS?
Do you have any exception policy enabled?
Do you have midstream enabled?

Thanks for your time in answering these!

Topic		Replies	Views
Suricata dos rule help Help rules , suricata	4	621	August 3, 2023
Testing ping alert rule Rules suricata	5	3808	July 27, 2022
Question about network packets and flows Help rules , suricata	2	447	October 11, 2023
Alert triggered but nothing in the pcap Rules rules , suricata	2	373	September 19, 2022
Rules for 2 public IPs? Rules	1	1088	July 17, 2020

Suricata not triggering the logs

Related Topics