Unfortunately solution suggested by Victor Julien did not work. That’s not a large number of IPs to check. If IP falls beyond that point, it won’t be blocked. Again, I am not an expert, but it looks to me that Suricata is not reading/loading/processing the entire list.Īfter few tests I have narrowed the working range up to 1170 lines of IPs within the list. However if I move these IPS next to the top in the same list, then restart Suricata, the same IPs are being blocked as expected. Same result if I leave all blacklists separated in individual iprep lists. None of these IPs are being blocked by Suricata. 9 are IP-only rules, 0 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only 16:04:23 - (detect-engine-build.c:1420) (SigAddressPrepareStage1) - 9 signatures processed. 16:04:23 - (util-threshold-config.c:1091) (SCThresholdConfParseFile) - Threshold config parsed: 0 rule(s) found 9 rules successfully loaded, 0 rules failed 16:04:23 - (detect-engine-loader.c:355) (SigLoadSignatures) - 1 rule files processed. 16:04:23 - (reputation.c:635) (SRepInit) - Loading reputation file: /etc/suricata/rules/iprep/ssh-iprep.list 16:04:23 - (reputation.c:635) (SRepInit) - Loading reputation file: /etc/suricata/rules/iprep/sip-iprep.list ![]() 16:04:23 - (reputation.c:635) (SRepInit) - Loading reputation file: /etc/suricata/rules/iprep/mail-iprep.list 16:04:23 - (reputation.c:635) (SRepInit) - Loading reputation file: /etc/suricata/rules/iprep/imap-iprep.list 16:04:23 - (reputation.c:635) (SRepInit) - Loading reputation file: /etc/suricata/rules/iprep/ftp-iprep.list 16:04:23 - (reputation.c:635) (SRepInit) - Loading reputation file: /etc/suricata/rules/iprep/cibadguys-iprep.list 16:04:23 - (reputation.c:635) (SRepInit) - Loading reputation file: /etc/suricata/rules/iprep/bots-iprep.list 16:04:23 - (reputation.c:635) (SRepInit) - Loading reputation file: /etc/suricata/rules/iprep/apache-iprep.list 16:04:23 - (reputation.c:635) (SRepInit) - Loading reputation file: /etc/suricata/rules/iprep/test-iprep.list 16:04:23 - (reputation.c:635) (SRepInit) - Loading reputation file: /etc/suricata/rules/iprep/scirius-iprep.list To run Suricata in IPS mode and actively block some packets, do I need to involve / configure the firewall ( iptables) or this is optional?.For example, eth3 could be added to the af-packet configuration and used a regular interface." Please note that is possible to have normal IDS interface running simultaneously. On a computer with enough network ports, should I have 2 instances of Suricata running, one as IDS and the other as IPS, or can I have the same instance running both modes? Let's say eth0 and eth1 for IPS and eth2 for IDS.Can IPS mode be enabled with only one network port or do I always need at least 2 network cards?.Does this refer to inline with IDS mode, just sniffing traffic and alerting, but not dropping packets? ![]() There are some concepts and configurations that are not entirely clear to me or I do not feel confident after having reviewed a bit of documentation here and there. My Suricata will be in gateway mode, protecting the computers behind Suricata. I was wondering if I can count on you so I can keep moving forward on my Suricata custom config as IPS. I got errors when trying to add the new rule via Scirius GUI.Then I tried to add a rule to use rule directive iprepĪlert ip any any -> any any (msg:"TEST IP Bad Reputation Blacklist" iprep:any,10,=,100 sid:2600000 rev:1 ).I tried to follow the same pattern found in /etc/suricata/rules/scirius-iprep.list ![]() This is the same file referenced in /etc/suricata/selks6-addin.yaml
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |