Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata does not block traffic

    Scheduled Pinned Locked Moved IDS/IPS
    1 Posts 1 Posters 512 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      padpn
      last edited by

      Hello!

      I have PFsense 2.3.2-RELEASE-p1 and suricata 3.1.2_2 in Legacy mode, because inline does not start.

      With suricata I tryed to block udp flood like this

      19:07:19.687871 80:71:1f:c6:YY:YY > a0:36:9f:08:YY:YY, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 154, id 7065, offset 0, flags [none], proto UDP (17), length 46)
    216.228.68.50.46742 > 85.143.XXX.XXX.2645: [bad udp cksum 0x9bae -> 0x0be7!] UDP, length 18
	0x0000:  4500 002e 1b99 0000 9a11 c7fe d8e4 4432  E.............D2
	0x0010:  558f ca81 b696 0902 001a 9bae 6970 343a  U...........ip4:
	0x0020:  XXXX XXXX XXXX XXXX XXXX XXXX XXXX        85.143.XXX.XXX

      I created custom rule:

      drop udp any any -> 85.143.XXX.XXX/32 2645 (msg:"XXX.XXX ip4"; content:"ip4"; sid:9999008; rev:1;)

      I've got a lot of message in block.log, but traffic steal pass through PFsense and reached "protected" IP.

      What I did wrong?

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.