Project

General

Profile

Actions

Support #1034

closed

Help needed with proper IP block rule syntax using Suricata

Added by Lambert Osas about 11 years ago. Updated about 11 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Affected Versions:
Label:

Description

Hi, I have setup Suricata sometime ago and I intend to use it to block inbound & outbound connection to malicious IPs. Suricata is properly setup and running and has been configured to rule an IP block rule with some sample rules as follows:

drop ip [XXX.XXX.XXX.XXX] any -> $HOME_NET any (msg:"Bad IP Reputation"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_dst, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:24040000; rev:2307;)

Where; XXX.XXX.XXX.XXX is the IP to be blocked.

The problem is that although suricata was able to load the rule file, the rule is not working. I can still connect to the blocked IP. Please can someone help me review this rule syntax and tell me what might be wrong with it?

Thanks

Actions #1

Updated by Victor Julien about 11 years ago

  • Target version deleted (1.4.3)

We use "Target version" only to track in which future version we will fix an issue.

Actions #2

Updated by Victor Julien about 11 years ago

  • Tracker changed from Bug to Support

I think the rule should work, see Rule-Thresholding.

What does you IPS setup look like?

Actions #3

Updated by Lambert Osas about 11 years ago

Thanks for the quick reply. My suricata is setup as INLINE/IPS mode using NFQ and has been configured to force all traffic through the Suricata using:

iptables -A FORWARD -j NFQUEUE

Yes, it should work but from my tests, it is not working. Are there alternate IP block rule that I can try?

Actions #4

Updated by Anoop Saldanha about 11 years ago

Can you change the drop to alert and check if you see alerts in the fast.log?

Edit: A drop rule also logs to fast.log, I think. Either ways to be sure, can you set it to alert and check if you see the alerts in fast.log?

Actions #5

Updated by Victor Julien about 11 years ago

The first thing you should try is updating to 1.4.6. We fixed quite a few issues, one of them especially may be related (#864).

Actions #6

Updated by Lambert Osas about 11 years ago

OK. I will upgrade and test again and update you when I finish.

Thanks

Actions #7

Updated by Lambert Osas about 11 years ago

I just tried upgrading to version 1.4.6 but despite following the setup guide at: https://redmine.openinfosecfoundation.org/projects/suricata/wiki/CentOS_56_Installation and having installed all dependencies, I'm getting this error when I try to install using: ./configure --enable-nfqueue

checking for libnetfilter_queue/libnetfilter_queue.h... no
configure: error: libnetfilter_queue/libnetfilter_queue.h not found ...

Actions #8

Updated by Lambert Osas about 11 years ago

Hi, again, just a quick question regarding the IP block rules. Does Suricata currently support this IP block rule syntax as found in : http://rules.emergingthreats.net/fwrules/emerging-IPF-RBN.rules

block in log quick from XXX.XXX.XXX.XXX to any

Actions #9

Updated by Lambert Osas about 11 years ago

Update: Issue has been resolved with the current version 1.4.3.

I made some modifications to the rules and now it works like CHARM :)

Actions #10

Updated by Victor Julien about 11 years ago

How did you change the rule?

Actions #11

Updated by Lambert Osas about 11 years ago

drop ip [XXX.XXX.XXX.XXX,....] any <> any any (........)

Actions #12

Updated by Victor Julien about 11 years ago

  • Status changed from New to Closed
Actions

Also available in: Atom PDF