4. Suricata does not block traffic

Suricata does not block traffic

  • P

    Hello!

    I have PFsense 2.3.2-RELEASE-p1 and suricata 3.1.2_2 in Legacy mode, because inline does not start.

    With suricata I tryed to block udp flood like this

    19:07:19.687871 80:71:1f:c6:YY:YY > a0:36:9f:08:YY:YY, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 154, id 7065, offset 0, flags [none], proto UDP (17), length 46)
    216.228.68.50.46742 > 85.143.XXX.XXX.2645: [bad udp cksum 0x9bae -> 0x0be7!] UDP, length 18
	0x0000:  4500 002e 1b99 0000 9a11 c7fe d8e4 4432  E.............D2
	0x0010:  558f ca81 b696 0902 001a 9bae 6970 343a  U...........ip4:
	0x0020:  XXXX XXXX XXXX XXXX XXXX XXXX XXXX        85.143.XXX.XXX

    I created custom rule:

    drop udp any any -> 85.143.XXX.XXX/32 2645 (msg:"XXX.XXX ip4"; content:"ip4"; sid:9999008; rev:1;)

    I've got a lot of message in block.log, but traffic steal pass through PFsense and reached "protected" IP.

    What I did wrong?

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy