Suricata

Thanks for the quick reply. My suricata is setup as INLINE/IPS mode using NFQ and has been configured to force all traffic through the Suricata using:

iptables -A FORWARD -j NFQUEUE

Yes, it should work but from my tests, it is not working. Are there alternate IP block rule that I can try?

Can you change the drop to alert and check if you see alerts in the fast.log?

Edit: A drop rule also logs to fast.log, I think. Either ways to be sure, can you set it to alert and check if you see the alerts in fast.log?

The first thing you should try is updating to 1.4.6. We fixed quite a few issues, one of them especially may be related (#864).

OK. I will upgrade and test again and update you when I finish.

Thanks

I just tried upgrading to version 1.4.6 but despite following the setup guide at: https://redmine.openinfosecfoundation.org/projects/suricata/wiki/CentOS_56_Installation and having installed all dependencies, I'm getting this error when I try to install using: ./configure --enable-nfqueue

checking for libnetfilter_queue/libnetfilter_queue.h... no
configure: error: libnetfilter_queue/libnetfilter_queue.h not found ...

Hi, again, just a quick question regarding the IP block rules. Does Suricata currently support this IP block rule syntax as found in : http://rules.emergingthreats.net/fwrules/emerging-IPF-RBN.rules

block in log quick from XXX.XXX.XXX.XXX to any

Update: Issue has been resolved with the current version 1.4.3.

I made some modifications to the rules and now it works like CHARM :)

How did you change the rule?

drop ip [XXX.XXX.XXX.XXX,....] any <> any any (........)