Support #2636
closedI need help fort IPS inline doesn't drop
Description
Dears,
I want to protect against aatack, I use suricata 4.0.4 RELEASE with IPS Inline
iptables -vnL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 3970 499K NFQUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 2485 216K NFQUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 0
I listen traffic whith Wireshark on my server.
My problem, when I use Armitage to scan my server nothing is DROP.
You have a suricata.yaml file in attachment.
Can you helo me ?
Best regard.
MaxKweeger
Files
Updated by Max Kweeger over 5 years ago
- File suricata.yaml suricata.yaml added
Dears,
I want to protect against attack, I use suricata 4.0.4 RELEASE with IPS Inline
iptables vnL :
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3970 499K NFQUEUE all - * * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2485 216K NFQUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 0
I listen traffic whith Wireshark on my server.
My problem, when I use Armitage to scan my server nothing is DROP.
You have a suricata.yaml file in attachment.
Can you helo me ?
Best regard.
MaxKweeger
Updated by Andreas Herz over 5 years ago
Do you see alerts at least?
Did you change the action keyword from alert to drop?
Updated by Victor Julien over 5 years ago
One possible issue is that wireshark will sniff packets before they reach iptables and nfqueue. So they would still be dropped.
Updated by Andreas Herz about 5 years ago
- Status changed from New to Closed
Hi, we're closing this issue since there have been no further responses.
If you think this bug is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs