save host from syn flood,
just like
iptables -t filter -A INPUT -p tcp -m tcp --syn -m hashlimit --hashlimit-mode srcip --hashlimit-above 50/second --hashlimit-burst 50 --hashlimit-name ddos -j DROP
i’ve read
suricata 5.0.4
test.rules, only two rule:
#drop tcp any any → any any (msg:“possible syn flood!!”;flags:S;threshold:type both,track by_src,count 50,seconds 1;)
alert tcp any any → any any (msg:“possible syn flood!!”;flags:S;sid:202206011; rev:1;)
drop icmp any any → any any (msg:“icmp request flood!!”;icode:0; itype:8; threshold:type both,track by_src,count 50,seconds 1;sid:202206012; rev:1;)
threshold.config, only one config:
rate_filter gen_id 1, sig_id 202206011, track by_src, count 50, seconds 1, new_action drop, timeout 1
pc1[be attacked]---------[linux ips]--------------pc2[attacker]
at pc1, tcpdump -i eth0 tcp and dst port 80
at pc2 hping3 -S -p 80 -i u100 -c 300 $pc1
disable linux ips, i can capture packets with tcp port 80 at pc1
enable ips, i get none packet
it’s seem that ips block all the matched packets, the config in threshold.config is useless
in eve.json and fast.log, there is info of blocked packets
stop the hping3,
use curl http://pc1ip:80,at pc2,
it’s ok
the rule sid: 202206001 doesn’t fully workd
but, where enabled, at pc1, hping3 -1 -i u100 -c 300 $pc2 ,
i can capture some of packets in pc1 from pc2
rule2 worked
so, where’s the problem
suricata ips treate tcp defrented with icmp?
thanks all of you