Does anyone have experience with using Suricata as an IPS? Im on Debian and I'd like to be able to manually block and unblock specific ip addresses (iptables). I've not used Suricata as I am currently running Snort as an IDS and guardian as my IPS. I've done a bit of research into Suricata and, as far as I can tell, one can manually add rules to Suricata's rule file which will block a given ip address. When Suricata is running as a daemon, do the block rules get wiped when you restart the daemon like they do with guardian? Thanks in advance for any tips.
If you run Suricata with in netfilter queue mode, you can still use iptables for blocking. E.g. your iptables setup could look like:
iptables -N BLOCKLIST
iptables -A FORWARD -j BLOCKLIST
iptables -A FORWARD -j NFQUEUE
Then start suricata with -q:
suricata -q 0
To add ip's to the blocklist do
iptables -A BLOCKLIST -s 1.2.3.4 -j DROP
Remove
iptables -D BLOCKLIST -s 1.2.3.4 -j DROP
Because the -j NFQUEUE rule is evaluated after the the -j BLOCKLIST rule, the blocklist is applied before traffic is sent to Suricata.
It is also possible to do the blocking in Suricata itself. Add a rule like:
drop ip 1.2.3.4 any -> any any (msg:"1.2.3.4 dropped"; sid:1;)
Then restart Suricata. Alternatively, you can enable 'rule reloads' in your YAML (if you're on 3.0 it's always enabled) and send the USR2 signal.
On Suricata 2.x uncomment 'rule-reload' in your suricata.yaml:
detect-engine:
- rule-reload: true