How to stop massive port connections through Suricata

Started by elvinmammadov, December 17, 2021, 09:05:57 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 17, 2021, 09:05:57 AM
Hello,

We have enabled Suricata, downloaded rules, some of the rules are enabled and disabled. If someone makes a massive connection for example to port 80, Suricata shows no alerts, and doesn't block it. We want to achieve Suricata block the remote IP address if someone tries massive connections. Do you know which rule should I enable? Thanks.
December 17, 2021, 10:23:19 AM #1
If your firewall blocks port 80 you are fine. If you mean by "massive connection" kind of DOS attack, neither your firewall (irrespective of the brand) nor suricata/snort/whatever can do anything for you.
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
December 17, 2021, 01:50:15 PM #2
maybe you are running reversed proxy nginx for your port 80? and with that set a limit by setting an amount in the settings of your upstream server options "Maximum Connections" ?
Can't think of anything else indeed.
Deciso DEC850v2
December 17, 2021, 05:25:01 PM #3
I want to test our Intrusion Detection. There are thousands of rules, we have left them in default, so we don't know which rules should be recommended to enable. I googled, but couldn't find best practice.
Print
Go Up Pages1
User actions