Support #1034
closedHelp needed with proper IP block rule syntax using Suricata
Description
Hi, I have setup Suricata sometime ago and I intend to use it to block inbound & outbound connection to malicious IPs. Suricata is properly setup and running and has been configured to rule an IP block rule with some sample rules as follows:
drop ip [XXX.XXX.XXX.XXX] any -> $HOME_NET any (msg:"Bad IP Reputation"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_dst, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:24040000; rev:2307;)
Where; XXX.XXX.XXX.XXX is the IP to be blocked.
The problem is that although suricata was able to load the rule file, the rule is not working. I can still connect to the blocked IP. Please can someone help me review this rule syntax and tell me what might be wrong with it?
Thanks
Updated by Victor Julien over 10 years ago
- Target version deleted (
1.4.3)
We use "Target version" only to track in which future version we will fix an issue.
Updated by Victor Julien over 10 years ago
- Tracker changed from Bug to Support
I think the rule should work, see Rule-Thresholding.
What does you IPS setup look like?
Updated by Lambert Osas over 10 years ago
Thanks for the quick reply. My suricata is setup as INLINE/IPS mode using NFQ and has been configured to force all traffic through the Suricata using:
iptables -A FORWARD -j NFQUEUE
Yes, it should work but from my tests, it is not working. Are there alternate IP block rule that I can try?
Updated by Anoop Saldanha over 10 years ago
Can you change the drop to alert and check if you see alerts in the fast.log?
Edit: A drop rule also logs to fast.log, I think. Either ways to be sure, can you set it to alert and check if you see the alerts in fast.log?
Updated by Victor Julien over 10 years ago
The first thing you should try is updating to 1.4.6. We fixed quite a few issues, one of them especially may be related (#864).
Updated by Lambert Osas over 10 years ago
OK. I will upgrade and test again and update you when I finish.
Thanks
Updated by Lambert Osas over 10 years ago
I just tried upgrading to version 1.4.6 but despite following the setup guide at: https://redmine.openinfosecfoundation.org/projects/suricata/wiki/CentOS_56_Installation and having installed all dependencies, I'm getting this error when I try to install using: ./configure --enable-nfqueue
checking for libnetfilter_queue/libnetfilter_queue.h... no
configure: error: libnetfilter_queue/libnetfilter_queue.h not found ...
Updated by Lambert Osas over 10 years ago
Hi, again, just a quick question regarding the IP block rules. Does Suricata currently support this IP block rule syntax as found in : http://rules.emergingthreats.net/fwrules/emerging-IPF-RBN.rules
block in log quick from XXX.XXX.XXX.XXX to any
Updated by Lambert Osas over 10 years ago
Update: Issue has been resolved with the current version 1.4.3.
I made some modifications to the rules and now it works like CHARM :)
Updated by Lambert Osas over 10 years ago
drop ip [XXX.XXX.XXX.XXX,....] any <> any any (........)