Project

General

Profile

Actions
Copy link

Support #1986

closed

Suricata works not well that Port-monitor only in incoming traffic

Added by wo wo almost 8 years ago. Updated almost 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Affected Versions:
Label:

Description

I have a test like this:
My env:

WebServer:192.168.1.2
    IDSServer:192.168.1.10
    suricata.yaml with default setting.

If WebServer Port-monitor to IDS with iptables:

iptables -A INPUT -i eth0 -p tcp -m tcp -j TEE --gateway 192.168.1.10
    iptables -A OUTPUT -o eth0 -p tcp -m tcp -j TEE --gateway 192.168.1.10

And I send the test request

http://192.168.1.2/t.php?id=1 union select id from admin

The suricata work well, The fast.log file loged the alert info;

But, I want only Port-monitor 'incoming traffic' to IDS, like:

iptables -A INPUT -i eth0 -p tcp -m tcp -j TEE --gateway 192.168.1.10

Because of I didn`t care the response of the webserver, And the response traffic will occupied a large of bandwidth,

And now I send the test request

http://192.168.1.2/t.php?id=1 union select id from admin

The fast.log file is empty.

It`s a Bug or not?

Thanks

Actions
Copy link

Also available in: Atom PDF