Support #2636
closed
I need help fort IPS inline doesn't drop
Added by Max Kweeger over 5 years ago.
Updated about 5 years ago.
Description
Dears,
I want to protect against aatack, I use suricata 4.0.4 RELEASE with IPS Inline
iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3970 499K NFQUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2485 216K NFQUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 0
I listen traffic whith Wireshark on my server.
My problem, when I use Armitage to scan my server nothing is DROP.
You have a suricata.yaml file in attachment.
Can you helo me ?
Best regard.
MaxKweeger
Files
Dears,
I want to protect against attack, I use suricata 4.0.4 RELEASE with IPS Inline
iptables vnL :
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3970 499K NFQUEUE all - * * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2485 216K NFQUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 0
I listen traffic whith Wireshark on my server.
My problem, when I use Armitage to scan my server nothing is DROP.
You have a suricata.yaml file in attachment.
Can you helo me ?
Best regard.
MaxKweeger
Do you see alerts at least?
Did you change the action keyword from alert to drop?
- Description updated (diff)
One possible issue is that wireshark will sniff packets before they reach iptables and nfqueue. So they would still be dropped.
- Tracker changed from Bug to Support
- Status changed from New to Closed
Also available in: Atom
PDF