Suricata does not block traffic
-
Hello!
I have PFsense 2.3.2-RELEASE-p1 and suricata 3.1.2_2 in Legacy mode, because inline does not start.
With suricata I tryed to block udp flood like this
19:07:19.687871 80:71:1f:c6:YY:YY > a0:36:9f:08:YY:YY, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 154, id 7065, offset 0, flags [none], proto UDP (17), length 46) 216.228.68.50.46742 > 85.143.XXX.XXX.2645: [bad udp cksum 0x9bae -> 0x0be7!] UDP, length 18 0x0000: 4500 002e 1b99 0000 9a11 c7fe d8e4 4432 E.............D2 0x0010: 558f ca81 b696 0902 001a 9bae 6970 343a U...........ip4: 0x0020: XXXX XXXX XXXX XXXX XXXX XXXX XXXX 85.143.XXX.XXX
I created custom rule:
drop udp any any -> 85.143.XXX.XXX/32 2645 (msg:"XXX.XXX ip4"; content:"ip4"; sid:9999008; rev:1;)
I've got a lot of message in block.log, but traffic steal pass through PFsense and reached "protected" IP.
What I did wrong?