Project

General

Profile

Actions
Copy link

Support #2636

closed

I need help fort IPS inline doesn't drop

Added by Max Kweeger over 5 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
OISF Dev
Affected Versions:
4.0.4
Label:

Description

Dears,
I want to protect against aatack, I use suricata 4.0.4 RELEASE with IPS Inline

iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 3970  499K NFQUEUE    all  --  *      *       0.0.0.0/0            0.0.0.0/0            NFQUEUE num 0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 2485  216K NFQUEUE    all  --  *      *       0.0.0.0/0            0.0.0.0/0            NFQUEUE num 0

I listen traffic whith Wireshark on my server.
My problem, when I use Armitage to scan my server nothing is DROP.
You have a suricata.yaml file in attachment.

Can you helo me ?

Best regard.
MaxKweeger

Files

Download all files
suricata.yaml (66.4 KB) suricata.yaml Max Kweeger, 10/09/2018 07:53 AM
suricata.yaml (66.4 KB) suricata.yaml Max Kweeger, 10/09/2018 08:04 AM
Actions
Copy link
 #1

Updated by Max Kweeger over 5 years ago

Dears,
I want to protect against attack, I use suricata 4.0.4 RELEASE with IPS Inline

iptables vnL :

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3970 499K NFQUEUE all - * * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2485 216K NFQUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 0

I listen traffic whith Wireshark on my server.
My problem, when I use Armitage to scan my server nothing is DROP.
You have a suricata.yaml file in attachment.

Can you helo me ?

Best regard.
MaxKweeger

Actions
Copy link
 #2

Updated by Andreas Herz over 5 years ago

Do you see alerts at least?
Did you change the action keyword from alert to drop?

Actions
Copy link
 #3

Updated by Victor Julien over 5 years ago

  • Description updated (diff)
Actions
Copy link
 #4

Updated by Victor Julien over 5 years ago

One possible issue is that wireshark will sniff packets before they reach iptables and nfqueue. So they would still be dropped.

Actions
Copy link
 #5

Updated by Victor Julien over 5 years ago

  • Tracker changed from Bug to Support
Actions
Copy link
 #6

Updated by Andreas Herz about 5 years ago

  • Status changed from New to Closed

Hi, we're closing this issue since there have been no further responses.
If you think this bug is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs

Actions
Copy link

Also available in: Atom PDF