Suricata Testing

[yena]

Hello,
i'm testing Suricata as IDS (not IPS).... i have installed all the stuff
and i have configured a single VPS debian LXC with LAMP.

How can i test if suricata works ?
I have tested a query string on the VPS like this:

http://192.168.1.82/index.html?page... rv:1.7.5) Gecko/20041202 Firefox/1.0\r\n\r\n

but i can't see nothing on the suricata logs:

tail -f http.log fast.log
==> http.log <==

==> fast.log <==

Service seem OK:
--------------------------------------------------------------
service suricata status
● suricata.service - LSB: Next Generation IDS/IPS
Loaded: loaded (/etc/init.d/suricata)
Active: active (running) since Tue 2016-12-13 19:18:05 CET; 25min ago
Process: 1950 ExecStart=/etc/init.d/suricata start (code=exited, status=0/SUCCESS)
CGroup: /system.slice/suricata.service
└─2031 /usr/bin/suricata -c /etc/suricata/suricata-debian.yaml --pidfile /var/run/suricata.pid -q 0 -D

Dec 13 19:18:05 TTest suricata[1950]: Starting suricata in IPS (nfqueue) mode... done.
Dec 13 19:18:05 TTest systemd[1]: Started LSB: Next Generation IDS/IPS.
------------------------------------------------------------------

VPS Firewall Enabled end configured:

cat /etc/pve/firewall/100.fw
[OPTIONS]
ips: 1
ips_queues: 0
-----------------------------------------------------------
cat /etc/default/suricata
RUN=yes
SURCONF=/etc/suricata/suricata-debian.yaml
LISTENMODE=nfqueue
IFACE=eth0
NFQUEUE=0
TCMALLOC="YES"
PIDFILE=/var/run/suricata.pid
------------------------------------------------------------------------------

rules:
ls -la /etc/suricata/rules/
total 3605
drwxr-xr-x 2 root root 66 Dec 13 19:00 .
drwxr-xr-x 3 root root 7 Dec 13 19:38 ..
-rw-r--r-- 1 root root 32765 Dec 13 19:00 botcc.portgrouped.rules
-rw-r--r-- 1 root root 288931 Dec 13 19:00 botcc.rules
-rw-r--r-- 1 root root 1656 Dec 13 19:00 BSD-License.txt
-rw-r--r-- 1 root root 144684 Dec 13 19:00 ciarmy.rules
-rw-r--r-- 1 root root 2638 Dec 13 19:00 classification.config
-rw-r--r-- 1 root root 19022 Dec 13 19:00 compromised-ips.txt
-rw-r--r-- 1 root root 33434 Dec 13 19:00 compromised.rules
-rw-r--r-- 1 root root 13512 Mar 4 2015 decoder-events.rules
-rw-r--r-- 1 root root 1498 Mar 4 2015 dns-events.rules
-rw-r--r-- 1 root root 21912 Dec 13 19:00 drop.rules
-rw-r--r-- 1 root root 2489 Dec 13 19:00 dshield.rules
-rw-r--r-- 1 root root 274378 Dec 13 19:00 emerging-activex.rules
-rw-r--r-- 1 root root 55304 Dec 13 19:00 emerging-attack_response.rules
-rw-r--r-- 1 root root 28830 Dec 13 19:00 emerging-chat.rules
-rw-r--r-- 1 root root 3305 Dec 13 19:00 emerging.conf
-rw-r--r-- 1 root root 962558 Dec 13 19:00 emerging-current_events.rules
-rw-r--r-- 1 root root 870391 Dec 13 19:00 emerging-deleted.rules
-rw-r--r-- 1 root root 24399 Dec 13 19:00 emerging-dns.rules
-rw-r--r-- 1 root root 48577 Dec 13 19:00 emerging-dos.rules
-rw-r--r-- 1 root root 211333 Dec 13 19:00 emerging-exploit.rules
-rw-r--r-- 1 root root 38111 Dec 13 19:00 emerging-ftp.rules
-rw-r--r-- 1 root root 25110 Dec 13 19:00 emerging-games.rules
-rw-r--r-- 1 root root 14289 Dec 13 19:00 emerging-icmp_info.rules
-rw-r--r-- 1 root root 8563 Dec 13 19:00 emerging-icmp.rules
-rw-r--r-- 1 root root 12147 Dec 13 19:00 emerging-imap.rules
-rw-r--r-- 1 root root 8986 Dec 13 19:00 emerging-inappropriate.rules
-rw-r--r-- 1 root root 133991 Dec 13 19:00 emerging-info.rules
-rw-r--r-- 1 root root 390776 Dec 13 19:00 emerging-malware.rules
-rw-r--r-- 1 root root 18683 Dec 13 19:00 emerging-misc.rules
-rw-r--r-- 1 root root 76689 Dec 13 19:00 emerging-mobile_malware.rules
-rw-r--r-- 1 root root 302826 Dec 13 19:00 emerging-netbios.rules
-rw-r--r-- 1 root root 40405 Dec 13 19:00 emerging-p2p.rules
-rw-r--r-- 1 root root 284443 Dec 13 19:00 emerging-policy.rules
-rw-r--r-- 1 root root 7509 Dec 13 19:00 emerging-pop3.rules
-rw-r--r-- 1 root root 47992 Dec 13 19:00 emerging-rpc.rules
-rw-r--r-- 1 root root 9847 Dec 13 19:00 emerging-scada.rules
-rw-r--r-- 1 root root 94149 Dec 13 19:00 emerging-scan.rules
-rw-r--r-- 1 root root 56897 Dec 13 19:00 emerging-shellcode.rules
-rw-r--r-- 1 root root 8714 Dec 13 19:00 emerging-smtp.rules
-rw-r--r-- 1 root root 13309 Dec 13 19:00 emerging-snmp.rules
-rw-r--r-- 1 root root 181112 Dec 13 19:00 emerging-sql.rules
-rw-r--r-- 1 root root 6122 Dec 13 19:00 emerging-telnet.rules
-rw-r--r-- 1 root root 6275 Dec 13 19:00 emerging-tftp.rules
-rw-r--r-- 1 root root 2154556 Dec 13 19:00 emerging-trojan.rules
-rw-r--r-- 1 root root 27454 Dec 13 19:00 emerging-user_agents.rules
-rw-r--r-- 1 root root 8570 Dec 13 19:00 emerging-voip.rules
-rw-r--r-- 1 root root 126047 Dec 13 19:00 emerging-web_client.rules
-rw-r--r-- 1 root root 218724 Dec 13 19:00 emerging-web_server.rules
-rw-r--r-- 1 root root 2784561 Dec 13 19:00 emerging-web_specific_apps.rules
-rw-r--r-- 1 root root 9087 Dec 13 19:00 emerging-worm.rules
-rw-r--r-- 1 root root 2872 Mar 4 2015 files.rules
-rw-r--r-- 1 root root 18269 Dec 13 19:00 gen-msg.map
-rw-r--r-- 1 root root 18092 Dec 13 19:00 gpl-2.0.txt
-rw-r--r-- 1 root root 8339 Mar 4 2015 http-events.rules
-rw-r--r-- 1 root root 1945 Dec 13 19:00 rbn-malvertisers.rules
-rw-r--r-- 1 root root 1916 Dec 13 19:00 rbn.rules
-rw-r--r-- 1 root root 1375 Dec 13 19:00 reference.config
-rw-r--r-- 1 root root 3376833 Dec 13 19:00 sid-msg.map
-rw-r--r-- 1 root root 2380 Mar 4 2015 smtp-events.rules
-rw-r--r-- 1 root root 11879 Mar 4 2015 stream-events.rules
-rw-r--r-- 1 root root 0 Dec 13 19:00 suricata-1.3-open.txt
-rw-r--r-- 1 root root 4084 Mar 4 2015 tls-events.rules
-rw-r--r-- 1 root root 342952 Dec 13 19:00 tor.rules
-rw-r--r-- 1 root root 53709 Dec 13 19:00 unicode.map

------------------------------------------------------------------------------------------------------

Thanks!

 

[ffuentes]

I am not sure thats a proxmox question. I think you can get a better answer at the suricata forums... pfsense even....

Good luck....

 

[spirit]

can you send your 'iptables-save" output ?

they should be have some jump to nfqueue on drop rules.

btw, if you only need ids and not ips , you could simply sniff the traffic without nfqueue (with af_packets for examples).