Drop Packets instead of block src/dst?
-
Hello together,
so I run Suricata in my LAN, there are some alerts which I cannot classify. So the easiest way would to let Suricata block this traffic. But Suricata isn't blocking the traffic, it's blocked the Host completely. Is it possible to set up Suricata like it only drops the traffic and don't block the host completely? Every tutorial I read/watch aktivates blocking mode and blocking mode = block source/destination or booth.
Greetings!
-
So, I mean, the Info that comes when I activate Inline Mode says I have to change every Rule from Alert to Drop. I think this is maybe that what I want, but anyway I activate the "blocking mode" So if suricata detects a bad thing, did it block the host and generates an alert? What happens if I rewrite the rule from alert to drop? Did it just drop the packet, or did it blocks also the host?
-
Inline IPS Mode (when supported by your NIC hardware) offers the ability to drop individual packet flows without completely blocking a host by its IP address. This mode uses the FreeBSD netmap kernel device, so if your NIC hardware does not properly support netmap this mode is not available for you. But most hardware does support it these days.
Rules can have four basic ACTION verbs defined: (1) ALERT, which is the default; (2) DROP, which means drop the offending packet(s); (3) REJECT, which means drop the offending traffic but send the source IP a reply telling it the traffic was specifically rejected; and (4) PASS, which means let the packet flow and bypass all of the remaining rules. Normally the precedence of these actions in the Suricata engine is PASS, DROP, REJECT, and then ALERT. That means PASS rules are evaluated first and any matching traffic is unconditionally passed and skips further inspection. Then DROP and REJECT rules are processed. Finally, the ALERT rules are evaluated.
When using Inline IPS Mode, rules with the ALERT action result in only alerts but no blocking of traffic. However, when Legacy Blocking Mode is activated, any ALERT rule will also generate a block of the SRC/DST IP address so long as the IP is not on the active Pass List assigned to the interface.
You can alter the action verb associated with a rule SID using either of these methods.
-
By finding the desired rule on the RULES tab and clicking the Action icon to specify a new rule action. You first select the category containing the rule SID and then look for the rule in the list.
-
On the ALERTS tab, click the Action column icon on an alert entry caused by the rule to bring up a modal dialog where you can alter the rule's action.
-
Use the features available on the SID MGMT tab. This is the preferred method. There is a Sticky Post (actually a couple) at the top of this forum describing how this works. The post may say Snort, but the GUI works exactly the same way in both Suricata and Snort, so any instructions you find for SID MGMT in Snort will work in Suricata as well.
Here is a link to one of those Sticky Posts: https://forum.netgate.com/topic/128480/how-automatic-sid-management-and-user-rule-overrides-work-in-snort-and-suricata.
And here is another describing in detail how Inline IPS Mode works and how it differs from Legacy Blocking Mode. This thread is specifically referring to Snort, but Suricata's GUI code works exactly the same: https://forum.netgate.com/topic/143812/snort-package-4-0-inline-ips-mode-introduction-and-configuration-instructions.
-
-
@bmeeks Thanks for your help, this is very helpful, appreciate it!