1
Intrusion Detection and Prevention / IDS/IPS rules not working at all
« on: December 31, 2018, 01:48:02 pm »
hi
i`m running the latest stable version, everything is fine but suricata seems not to work.
i tried some of the abuse.ch rules, urlhaus for example, rules are downloaded, activated and set to block but i can access the any site form the list.
same goes for geoip countryblock, i see a lot of russian ip`s on the firewall, so i set up a rule to block russia, but nothing happens. No alerts from suricata but block actions on the firewall.
hardware is a Little supermicro with Intel Atom and Intel nics, 8gb ram, 120gb ssd.
i went trough the forum already for performance tuning and a suricata guide, no success.
all services are running fine and im a bit cluesless.
edit: static ipv4 on wan and lan, bridged cablemodem.
thats how the alerts look:
2018-12-31T13:53:55.370905+0100
allowed
WAN
2.22.152.33
443
x.x.x.x
60301
SURICATA STREAM excessive retransmissions
2018-12-31T13:51:48.254029+0100
allowed
WAN
x.x.x.x
61759
2.20.248.154
443
SURICATA STREAM excessive retransmissions
2018-12-31T12:08:27.682942+0100
allowed
WAN
23.0.174.128
443
x.x.x.x
27980
SURICATA STREAM excessive retransmissions
2018-12-31T11:57:22.226768+0100
allowed
WAN
192.229.221.214
443
x.x.x.x
15499
SURICATA STREAM excessive retransmissions
2018-12-31T11:44:54.118050+0100
allowed
WAN
192.229.221.214
443
x.x.x.x
2291
SURICATA STREAM excessive retransmissions
thanks for any help
i`m running the latest stable version, everything is fine but suricata seems not to work.
i tried some of the abuse.ch rules, urlhaus for example, rules are downloaded, activated and set to block but i can access the any site form the list.
same goes for geoip countryblock, i see a lot of russian ip`s on the firewall, so i set up a rule to block russia, but nothing happens. No alerts from suricata but block actions on the firewall.
hardware is a Little supermicro with Intel Atom and Intel nics, 8gb ram, 120gb ssd.
i went trough the forum already for performance tuning and a suricata guide, no success.
all services are running fine and im a bit cluesless.
edit: static ipv4 on wan and lan, bridged cablemodem.
thats how the alerts look:
2018-12-31T13:53:55.370905+0100
allowed
WAN
2.22.152.33
443
x.x.x.x
60301
SURICATA STREAM excessive retransmissions
2018-12-31T13:51:48.254029+0100
allowed
WAN
x.x.x.x
61759
2.20.248.154
443
SURICATA STREAM excessive retransmissions
2018-12-31T12:08:27.682942+0100
allowed
WAN
23.0.174.128
443
x.x.x.x
27980
SURICATA STREAM excessive retransmissions
2018-12-31T11:57:22.226768+0100
allowed
WAN
192.229.221.214
443
x.x.x.x
15499
SURICATA STREAM excessive retransmissions
2018-12-31T11:44:54.118050+0100
allowed
WAN
192.229.221.214
443
x.x.x.x
2291
SURICATA STREAM excessive retransmissions
thanks for any help