How to apply drop action when in IPS mode?

Started by zlinuxboy, November 05, 2025, 09:32:12 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 05, 2025, 09:32:12 AM
Hello, community
I just touch suricata yesterday, there are some new concept I am trying to catchup.
I have download and apply et open rules, and successful make suricata generated an alert by utilizing an attacker@$external_net to nmap -sS -T4 server@$home_net.
But even after I enable IPS mode, suricata still allow packet go through which match the et open rules.
How to make suricata to drop the evil packet if match rules when on IPS mode?
November 05, 2025, 10:07:15 AM #1
I create & apply a new policy:

```
/usr/local/etc/suricata/rule-policies.config
[71b2ac5f6ed2473d94c5ad5f4b2ae28b]
enabled=1
prio=0
rulesets=emerging-attack_response.rules,emerging-dos.rules,emerging-exploit.rules,emerging-icmp.rules,emerging-icmp_info.rules,emerging-info.rules,emerging-malware.rules,emerging-misc.rules,emerging-p2p.rules,emerging-scan.rules,emerging-sql.rules,opnsense.social_media.rules
content=
action=alert
__target_action__=drop
__policy_id__=71b2ac5f-6ed2-473d-94c5-ad5f4b2ae28b
__policy_description__=-
```


BEFORE created policy, generated a scan, the

opnsense console
/var/log/suricata/eve.json

```
...
{
  "timestamp": "2025-11-05T16:30:03.731607+0800",
  "flow_id": 890432422023188,
  "in_iface": "vmx1",
  "event_type": "alert",
  "src_ip": "10.4.0.1",
  "src_port": 64517,
  "dest_ip": "172.16.14.100",
  "dest_port": 5802,
  "proto": "TCP",
  "ip_v": 4,
  "pkt_src": "wire/pcap",
  "alert": {
    "action": "allowed",
    "gid": 1,
    "signature_id": 2002910,
    "rev": 6,
    "signature": "ET SCAN Potential VNC Scan 5800-5820",
    "category": "Attempted Information Leak",
    "severity": 2,
    "metadata": {
      "confidence": [
        "Medium"
      ],
      "created_at": [
        "2010_07_30"
      ],
      "signature_severity": [
        "Informational"
      ],
      "updated_at": [
        "2019_07_26"
      ]
    }
  },
  "direction": "to_server",
  "flow": {
    "pkts_toserver": 1,
    "pkts_toclient": 0,
    "bytes_toserver": 60,
    "bytes_toclient": 0,
    "start": "2025-11-05T16:30:03.731607+0800",
    "src_ip": "10.4.0.1",
    "dest_ip": "172.16.14.100",
    "src_port": 64517,
    "dest_port": 5802
  }
}
...

ATTACKER:

┌──(vagrant㉿kali-105)-[~]
└─$ sudo ip netns exec v4-cln1 nmap -sS -T4 172.16.14.100
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-05 03:29 EST
Nmap scan report for 172.16.14.100
Host is up (0.0010s latency).
Not shown: 999 closed tcp ports (reset)
PORT  STATE SERVICE
22/tcp open  ssh

Nmap done: 1 IP address (1 host up) scanned in 13.64 seconds

```

AFTER created and apply a policy, generated a scan, the

opnsense console
/var/log/suricata/eve.json
```
{
  "timestamp": "2025-11-05T16:43:19.949197+0800",
  "flow_id": 2106448014443784,
  "in_iface": "vmx1",
  "event_type": "alert",
  "src_ip": "10.4.0.1",
  "src_port": 54695,
  "dest_ip": "172.16.14.100",
  "dest_port": 3306,
  "proto": "TCP",
  "ip_v": 4,
  "pkt_src": "wire/pcap",
  "alert": {
    "action": "blocked",
    "gid": 1,
    "signature_id": 2010937,
    "rev": 3,
    "signature": "ET SCAN Suspicious inbound to mySQL port 3306",
    "category": "Potentially Bad Traffic",
    "severity": 2,
    "metadata": {
      "confidence": [
        "Medium"
      ],
      "created_at": [
        "2010_07_30"
      ],
      "signature_severity": [
        "Informational"
      ],
      "updated_at": [
        "2019_07_26"
      ]
    }
  },
  "direction": "to_server",
  "flow": {
    "pkts_toserver": 1,
    "pkts_toclient": 0,
    "bytes_toserver": 60,
    "bytes_toclient": 0,
    "start": "2025-11-05T16:43:19.949197+0800",
    "src_ip": "10.4.0.1",
    "dest_ip": "172.16.14.100",
    "src_port": 54695,
    "dest_port": 3306
  }
}


attacker:

┌──(vagrant㉿kali-105)-[~]
└─$ sudo ip netns exec v4-cln1 nmap -sS -T4 172.16.14.100
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-05 03:43 EST
Nmap scan report for 172.16.14.100
Host is up (0.0018s latency).
Not shown: 995 closed tcp ports (reset)
PORT    STATE    SERVICE
22/tcp  open    ssh
1433/tcp filtered ms-sql-s
1521/tcp filtered oracle
3306/tcp filtered mysql
5432/tcp filtered postgresql

Nmap done: 1 IP address (1 host up) scanned in 14.88 seconds


question:

1. Is that the righ method to create such policy to achieve my goal?
2. why the nmap show 22 is open, but 3306 is filtered after applied the new created policy(action is from alter to drop)?
Today at 05:21:24 AM #2
Two ways
with a policy or by individual rule

You can change the rule to drop, go to Intrusion detection>admin>rules, enter the rule number in the search bar
Change the alert to drop

or
Use policies
Go to Intrusion detection>policy make a new policy
Leave the top action on alert, which is default
Select your whole ruleset
In the lower action change to drop
click apply
It will change all alerts to drop in that ruleset
Print
Go Up Pages1
User actions