How to integrate Suricata in Proxmox VE to intercept malicious traffic

[amos2023]

Hello everyone, I am a beginner Suricata, and I hope to run Suricata as an IPS to intercept malicious traffic. My deployment method is as follows:

apt-get -y install suricata jq
modprobe nfnetlink_queue
echo "nfnetlink_queue" > /etc/modules-load.d/nfnetlink_queue.conf


sed -i 's/interface: eth0/interface: vmbr0/g' /etc/suricata/suricata.yaml
sed -i 's/community-id: false/community-id: true/' /etc/suricata/suricata.yaml
echo "detect-engine:" >> /etc/suricata/suricata.yaml
echo "  - rule-reload: true" >> /etc/suricata/suricata.yaml


suricata-update update-sources
suricata-update enable-source et/open
suricata-update -o /etc/suricata/rules


suricata -T -c /etc/suricata/suricata.yaml -v


edit /etc/systemd/system/multi-user.target.wants/suricata.service change "ExecStart" to:
ExecStart=/usr/bin/suricata -D -c /etc/suricata/suricata.yaml --pidfile /run/suricata.pid -q 0


iptables -A INPUT -j NFQUEUE --queue-num 0 --queue-bypass
iptables -A FORWARD -j NFQUEUE --queue-num 0 --queue-bypass
iptables -A OUTPUT -j NFQUEUE --queue-num 0 --queue-bypass


systemctl daemon-reload
systemctl restart suricata

I know that Suricata has started running normally, I can see the ips.blocked statistics in stats.log, but I cannot find the blocked records in eve.json.

~# tail -f /var/log/suricata/stats.log | grep ips
ips.accepted                                  | Total                     | 70435244
ips.blocked                                   | Total                     | 9544226
ips.accepted                                  | Total                     | 70443407
ips.blocked                                   | Total                     | 9545082
~# 
~# jq 'select(.alert.action == "blocked")' /var/log/suricata/eve.json
~#
~# systemctl status suricata
● suricata.service - Suricata IDS/IDP daemon
     Loaded: loaded (/lib/systemd/system/suricata.service; enabled; preset: enabled)
     Active: active (running) since Thu 2024-08-22 23:07:44 HKT; 21h ago
       Docs: man:suricata(8)
             man:suricatasc(8)
             https://suricata-ids.org/docs/
   Main PID: 393254 (Suricata-Main)
      Tasks: 136 (limit: 629145)
     Memory: 1.3G
        CPU: 5h 7min 1.218s
     CGroup: /system.slice/suricata.service
             └─393254 /usr/bin/suricata -D -c /etc/suricata/suricata.yaml --pidfile /run/suricata.pid -q 0

Aug 22 23:07:44 testnode systemd[1]: Starting suricata.service - Suricata IDS/IDP daemon...
Aug 22 23:07:44 testnode suricata[393250]: 22/8/2024 -- 23:07:44 - <Notice> - This is Suricata version 6.0.10 RELEASE running in SYSTEM>
Aug 22 23:07:44 testnode systemd[1]: Started suricata.service - Suricata IDS/IDP daemon.

So I don’t know if Suricata has already intercepted malicious traffic based on rules like et/open. I can't find the specific log of interception in eve.json

Thank you all.