我在 debian 10 上设置 suricata 以使用以下运行命令阻止预期的请求:
/usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid -q 3 -q 4 -q 5 -D -v --user=logstash
每当我收到匹配被阻止的请求时,例如:
{"timestamp":"2021-12-16T14:59:09.855634+0000","flow_id":3110969609810,"event_type":"drop","src_ip":"192.168.1.5","dest_ip":"192.168.1.18","proto":"ICMP","icmp_type":8,"icmp_code":0,"drop":{"len":60,"tos":0,"ttl":128,"ipid":29443,"icmp_id":256,"icmp_seq":31241},"alert":{"action":"blocked","gid":1,"signature_id":1000002,"rev":1,"signature":"ICMP connection attempt","category":"","severity":3}}
Suricata 将在此错误之后立即停止:
[4585] 16/12/2021 -- 14:59:09 - (respond-reject-libnet11.c:226) <Error> (RejectSendLibnet11L3IPv4ICMP) -- [ERRCODE: SC_ERR_LIBNET_INIT(144)] - libnet_inint failed: libnet_open_raw4(): SOCK_RAW allocation failed: Operation not permitted
[4577] 16/12/2021 -- 14:59:09 - (tm-threads.c:1807) <Error> (TmThreadCheckThreadState) -- [ERRCODE: SC_ERR_FATAL(171)] - thread W-NFQ#5 failed
文件能力的输出是:
# getcap /usr/bin/suricata
/usr/bin/suricata = cap_net_admin,cap_net_raw,cap_sys_nice+eip
我该怎么做才能让它现在工作?