OPNsense Forum

English Forums => General Discussion => Topic started by: elvinmammadov on December 17, 2021, 09:05:57 am

Title: How to stop massive port connections through Suricata
Post by: elvinmammadov on December 17, 2021, 09:05:57 am

Hello,

We have enabled Suricata, downloaded rules, some of the rules are enabled and disabled. If someone makes a massive connection for example to port 80, Suricata shows no alerts, and doesn't block it. We want to achieve Suricata block the remote IP address if someone tries massive connections. Do you know which rule should I enable? Thanks.

Title: Re: How to stop massive port connections through Suricata
Post by: chemlud on December 17, 2021, 10:23:19 am

If your firewall blocks port 80 you are fine. If you mean by "massive connection" kind of DOS attack, neither your firewall (irrespective of the brand) nor suricata/snort/whatever can do anything for you.

Title: Re: How to stop massive port connections through Suricata
Post by: RamSense on December 17, 2021, 01:50:15 pm

maybe you are running reversed proxy nginx for your port 80? and with that set a limit by setting an amount in the settings of your upstream server options "Maximum Connections" ?
Can't think of anything else indeed.

Title: Re: How to stop massive port connections through Suricata
Post by: elvinmammadov on December 17, 2021, 05:25:01 pm

I want to test our Intrusion Detection. There are thousands of rules, we have left them in default, so we don't know which rules should be recommended to enable. I googled, but couldn't find best practice.