Suricata not triggering the logs


To explain the issue, please understand the scenario.
I have two machines:

  1. Ubuntu with Floodlight
  2. Kali Linux with mininet

I am using customized rule to detect the syn flood attack but it is not triggering. The rule is below:
alert tcp any any → $HOME_NET any (msg:“Possible SYN Flood Attack”; flow:stateless; flags:S; threshold: type both, track by_src, count 100, seconds 5; sid:1000001;)

But it is not triggering.

I am using Host h1 as TCP server using this command
iperf -s -p 3010 -i 1

And generating normal normal bandwidth from h2 to h1
iperf -c -p 3010 -t 180

And using h3 to flood the TCP sync attack
hping3 -c 10000 -d 120 -S -w 64 -p 3010 --flood

I tested my suricata by using ICMP rule to check if suricata triggering. The other rules are triggering but TCP syn flood attack is not triggering.
alert icmp any any → any any (msg:“ICMP Ping detected”; sid:1000001;)

Can anyone please help and explain why TCP alert tules is not triggering?

Hi Amir,

not sure if this points towards the solution or not, but let’s try:
What version of Suricata are you running?
Are you running in IPS, or IDS?
Do you have any exception policy enabled?
Do you have midstream enabled?

Thanks for your time in answering these! :slight_smile: