Support #2547
closedBlocking does not happen
Description
Prompt please.
I set up suricata in ips mode and use AF_PACKET.
- suricata -V
This is Suricata version 3.2.1 RELEASE
Main sections of the configuration file /etc/suricata/suricata.yaml
.....
vars:
address-groups:
HOME_NET: "[192.168.34.0/24]"
...
rule-files:
- test.rules
...
outputs:
...
- drop:
enabled: yes
filename: drop.log
append: yes
...
af-packet:
- interface: eth0
threads: 1
defrag: yes
cluster-type: cluster_flow
cluster-id: 98
copy-mode: ips
copy-iface: eth1
buffer-size: 64535
use-mmap: yes
- interface: eth1
threads: 1
cluster-id: 97
defrag: yes
cluster-type: cluster_flow
copy-mode: ips
copy-iface: eth0
buffer-size: 64535
use-mmap: yes
.....
stream:
memcap: 64mb
checksum-validation: yes
inline: yes
....
Rules /etc/suricata/rules/test.rules
drop tcp any any -> any any (content: "test"; msg: "test bloking tcp pakets"; classtype:bad-unknown;)
- tail- f /var/log/suricata/drop.log
07/22/2018-23:30:51.387207: IN= OUT= SRC=192.168.34.199 DST=192.168.3.115 LEN=52 TOS=0x00 TTL=64 ID=30730 PROTO=TCP SPT=80 DPT=46262 SEQ=1823302659 ACK=847928038 WINDOW=227 ACK RES=0x00 URGP=0
#iptables -nvL Show counters are incremented in section FORWARD
Blocking does not happen, only logging in the logs drop.log and fast.log.
Everything works great in NFQUEUE + iptables.
Please help, I do not know what to do.