I am experimenting on suricata ips.
The currently accessible web server is open on port 8891.
I added the following to the suricata rule to block traffic to this server.
drop tcp any any -> $HOME_NET 8891 (msg:"test drop msg"; classtype:misc-activity; sid:1000006; rev:1;)
And also added iptable rules.
sudo iptables -I FORWARD -j NFQUEUE
Then I turned on IPS mode and checked the fast.log.
suricata -c /etc/suricata/suricata.yaml -q 0
25/8/2020 -- 13:52:02 - <Notice> - This is Suricata version 5.0.3 RELEASE running in SYSTEM mode
25/8/2020 -- 13:52:02 - <Notice> - all 18 packet processing threads, 4 management threads initialized, engine started.
tail -f fast.log
[wDrop] [**] [1:1000006:1] test drop msg [**] [Classification: Misc activity] [Priority: 3] {TCP} <IP addres> -> 192.168.0.98:32622
The drop is displayed, but you are connected to the web server normally.
I thought I couldn't connect if I dropped it.
How can I block access?
