Differences

This shows you the differences between two versions of the page.

Link to this comparison view

installing_and_configuring_suricata_on_debian_wheezy_en [2017/09/05 12:18] (current)
Line 1: Line 1:
 +====== Installing and Configuring Suricata on Debian Wheezy ======
 +
 +===== Configuring the new Kernel =====
 +
 +We need to get at least 3.12 kernel and IPTables version 1.4.21 let's add two new repositories.
 +<sxh bash>
 +vim /​etc/​apt/​sources.list
 +[...]
 +deb http://​ftp.br.debian.org/​debian testing main contrib non-free
 +deb http://​ftp.br.debian.org/​debian/​ wheezy-backports main
 +</​sxh>​
 +
 +Now we need to define the default values when installing some new packet from the repositories.
 +<sxh bash>
 +vim /​etc/​apt/​preferences
 +Package: *
 +Pin: release a=stable
 +Pin-Priority:​ 700
 +
 +Package: *
 +Pin: release a=wheezy-backports
 +Pin-Priority:​ 650
 +
 +Package: *
 +Pin: release a=testing
 +Pin-Priority:​ 600
 +</​sxh>​
 +
 +Now we need to update the repositories
 +<sxh bash>
 +apt-get update
 +</​sxh>​
 +
 +Now let's install the new kernel image
 +<sxh bash>
 +apt-get -t wheezy-backports install linux-image-amd64 -y
 +</​sxh>​
 +
 +Now let's install the latest iptables version
 +<sxh bash>
 +apt-get -t testing install iptables -y
 +</​sxh>​
 +
 +Now we need to reboot the server
 +<sxh bash>
 +reboot
 +</​sxh>​
 +
 +===== Installing the Suricata =====
 +
 +  * Prerequisites:​
 +    * Debian Wheezy working as Suricata
 +      * IP: 192.168.1.252
 +    * Debian Wheezy working as Snorby
 +      * IP: 192.168.1.251
 +    * Debian Wheezy working as Apache
 +      * IP: 192.168.1.250
 +
 +
 +Now we need to install the dependences for Suricata, let's update the repositories
 +<sxh bash>
 +aptitude update && aptitude dist-upgrade -y
 +</​sxh>​
 +
 +Now we need to install the dependences like this
 +<sxh bash>
 +aptitude install build-essential pkg-config libpcre3 libpcre3-dbg libpcre3-dev libyaml-0-2 libyaml-dev \
 +autoconf automake libtool libpcap-dev libnet1-dev zlib1g zlib1g-dev libmagic-dev libcap-ng-dev libjansson-dev \
 +libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0 libgeoip-dev ethtool libmysqlclient-dev -y
 +</​sxh>​
 +
 +Now we need to fetch the suricata tarball and decompress it.
 +<sxh bash>
 +cd /usr/src
 +wget http://​wiki.douglasqsantos.com.br/​Downloads/​snort/​suricata-2.0.7.tar.gz
 +tar -xvzf suricata-2.0.7.tar.gz
 +cd suricata-2.0.7
 +</​sxh>​
 +
 +Now we need to configure the the sources to compile the suricata as IPS
 +<sxh bash>
 +./configure --enable-nfqueue --prefix=/​usr --sysconfdir=/​etc --localstatedir=/​var --enable-geoip
 +</​sxh>​
 +
 +Now let's compile the suricata like this
 +<sxh bash>
 +make && make install-full
 +</​sxh>​
 +
 +Now let's update the libraries.
 +<sxh bash>
 +ldconfig
 +</​sxh>​
 +
 +Whether you have some problems with the rules we can get it with the follow command
 +<sxh bash>
 +wget -qO - http://​rules.emergingthreats.net/​open/​suricata-2.0/​emerging.rules.tar.gz | tar -x -z -C "/​etc/​suricata/"​ -f -
 +</​sxh>​
 +
 +Now we need to configure the suricata main file like this
 +<sxh yaml>
 +vim /​etc/​suricata/​suricata.yaml
 +[...]
 +  - drop:
 +      enabled: yes
 +[...]
 +  - dns-log:
 +      enabled: yes
 +[...]
 +#line 784
 +  outputs:
 +  - console:
 +      enabled: yes
 +  - file:
 +      enabled: yes
 +      filename: /​var/​log/​suricata/​suricata.log
 +[...]
 +classification-file:​ /​etc/​suricata/​rules/​classification.config
 +reference-config-file:​ /​etc/​suricata/​rules/​reference.config
 +[...]
 +    # Here we need to set up the networks in our company like below.
 +    HOME_NET: "​[192.168.1.0/​24]"​
 +[...]
 +host-os-policy:​
 +  # Make the default policy windows.
 +  windows: [0.0.0.0/0]
 +  bsd: []
 +  bsd-right: []
 +  old-linux: []
 +  linux: [192.168.1.0/​24,​ 192.168.1.252]
 +  old-solaris:​ []
 +  solaris: ["::​1"​]
 +  hpux10: []
 +  hpux11: []
 +  irix: []
 +  macos: []
 +  vista: []
 +  windows2k3: []
 +</​sxh>​
 +
 +Now we need to adjust some variables on the kernel that able work with a huge amount of packets per second.
 +<sxh bash>
 +modprobe ip_conntrack
 +modprobe ip_conntrack_ftp
 +modprobe ip_nat_ftp
 +echo 1000000 > /​sys/​module/​nf_conntrack/​parameters/​hashsize
 +echo 1 > /​proc/​sys/​net/​ipv4/​tcp_syncookies
 +echo 1 > /​proc/​sys/​net/​ipv4/​tcp_timestamps
 +echo 1 > /​proc/​sys/​net/​ipv4/​ip_forward
 +echo 0 > /​proc/​sys/​net/​netfilter/​nf_conntrack_tcp_loose
 +echo 2000000 > /​proc/​sys/​net/​netfilter/​nf_conntrack_max
 +PSNI=/​proc/​sys/​net/​ipv4
 +for END in $PSNI/​conf/​*/​rp_filter ; do echo 1 > $END ; done
 +echo 0 > /​proc/​sys/​net/​ipv4/​icmp_echo_ignore_all
 +echo 1 > /​proc/​sys/​net/​ipv4/​icmp_echo_ignore_broadcasts
 +PSNI=/​proc/​sys/​net/​ipv6
 +for END in $PSNI/​conf/​*/​disable_ipv6 ; do echo 1 > $END ; done
 +echo 0 > /​proc/​sys/​net/​netfilter/​nf_conntrack_helper
 +</​sxh>​
 +
 +As we are enabling the ips/ids we need to disable the interface to filtering the packets and send all of them to ips/ids.
 +<sxh bash>
 +ethtool -K eth0 tx off
 +ethtool -K eth0 tso off
 +ethtool -K eth0 gro off
 +ethtool -K eth0 rxvlan off
 +ethtool -K eth0 txvlan off
 +</​sxh>​
 +
 +Now we can star the Suricata
 +<sxh bash>
 +suricata -c /​etc/​suricata/​suricata.yaml -i eth0 -D
 +</​sxh>​
 +
 +Now we need to redirect the connetion to the port 80 to another server that I shall use the Apache
 +<sxh bash>
 +iptables -t nat -A PREROUTING -d 192.168.1.252 -p tcp --dport 80 -j DNAT --to 192.168.1.250
 +iptables -t nat -A POSTROUTING -s 192.168.1.0/​24 -j MASQUERADE
 +</​sxh>​
 +
 +Here we made the redirect the incoming connection that arrive in Suricata to Apache server and after that we need to masquerade the network.
 +
 +Now on the Apache server we need to configure it to use the Suricata as Gateway.
 +<sxh bash>
 +route del default ​
 +route add default gw 192.168.1.252
 +</​sxh>​
 +
 +Now we need to test the connection with the internet like this
 +<sxh bash>
 +ping 8.8.8.8
 +</​sxh>​
 +
 +Now on suricata let's open the http log files like this
 +<sxh bash>
 +tail -f /​var/​log/​suricata/​http.log
 +</​sxh>​
 +
 +Now from another computer we need to open a test attack like this
 +<sxh bash>
 +nikto -h 192.168.1.252 -C all
 +</​sxh>​
 +
 +In the log files we'll get something like this
 +<sxh bash>
 +04/​13/​2015-17:​08:​43.040495 192.168.1.252 [**] /​Script/​fckeditor/​editor/​dialog/​fck_link.html [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003562) [**] 192.168.1.254:​34356 -> 192.168.1.252:​80
 +04/​13/​2015-17:​08:​43.040511 192.168.1.252 [**] /​Script/​fckeditor/​editor/​dialog/​fck_link.html [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003562) [**] 192.168.1.252:​34356 -> 192.168.1.250:​80
 +04/​13/​2015-17:​08:​43.041728 192.168.1.252 [**] /​sites/​all/​modules/​fckeditor/​fckeditor/​editor/​dialog/​fck_link.html [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003562) [**] 192.168.1.254:​34356 -> 192.168.1.252:​80
 +04/​13/​2015-17:​08:​43.041742 192.168.1.252 [**] /​sites/​all/​modules/​fckeditor/​fckeditor/​editor/​dialog/​fck_link.html [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003562) [**] 192.168.1.252:​34356 -> 192.168.1.250:​80
 +04/​13/​2015-17:​08:​43.043356 192.168.1.252 [**] /​modules/​fckeditor/​fckeditor/​editor/​dialog/​fck_link.html [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003562) [**] 192.168.1.254:​34356 -> 192.168.1.252:​80
 +04/​13/​2015-17:​08:​43.043366 192.168.1.252 [**] /​modules/​fckeditor/​fckeditor/​editor/​dialog/​fck_link.html [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003562) [**] 192.168.1.252:​34356 -> 192.168.1.250:​80
 +04/​13/​2015-17:​08:​43.044312 192.168.1.252 [**] /​class/​fckeditor/​editor/​dialog/​fck_link.html [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003562) [**] 192.168.1.254:​34356 -> 192.168.1.252:​80
 +04/​13/​2015-17:​08:​43.044312 192.168.1.252 [**] /​class/​fckeditor/​editor/​dialog/​fck_link.html [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003562) [**] 192.168.1.252:​34356 -> 192.168.1.250:​80
 +04/​13/​2015-17:​08:​43.045458 192.168.1.252 [**] /​inc/​fckeditor/​editor/​dialog/​fck_link.html [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003562) [**] 192.168.1.254:​34356 -> 192.168.1.252:​80
 +04/​13/​2015-17:​08:​43.045487 192.168.1.252 [**] /​inc/​fckeditor/​editor/​dialog/​fck_link.html [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003562) [**] 192.168.1.252:​34356 -> 192.168.1.250:​80
 +04/​13/​2015-17:​08:​43.046864 192.168.1.252 [**] /​sites/​all/​libraries/​fckeditor/​editor/​dialog/​fck_link.html [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003562) [**] 192.168.1.254:​34356 -> 192.168.1.252:​80
 +04/​13/​2015-17:​08:​43.046878 192.168.1.252 [**] /​sites/​all/​libraries/​fckeditor/​editor/​dialog/​fck_link.html [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003562) [**] 192.168.1.252:​34356 -> 192.168.1.250:​80
 +04/​13/​2015-17:​08:​43.047958 192.168.1.252 [**] /​FCKeditor/​editor/​filemanager/​browser/​default/​connectors/​asp/​connector.asp [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003563) [**] 192.168.1.254:​34356 -> 192.168.1.252:​80
 +04/​13/​2015-17:​08:​43.047965 192.168.1.252 [**] /​FCKeditor/​editor/​filemanager/​browser/​default/​connectors/​asp/​connector.asp [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003563) [**] 192.168.1.252:​34356 -> 192.168.1.250:​80
 +04/​13/​2015-17:​08:​43.049023 192.168.1.252 [**] /​Script/​fckeditor/​editor/​filemanager/​browser/​default/​connectors/​asp/​connector.asp [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003563) [**] 192.168.1.254:​34356 -> 192.168.1.252:​80
 +04/​13/​2015-17:​08:​43.049023 192.168.1.252 [**] /​Script/​fckeditor/​editor/​filemanager/​browser/​default/​connectors/​asp/​connector.asp [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003563) [**] 192.168.1.252:​34356 -> 192.168.1.250:​80
 +04/​13/​2015-17:​08:​43.050128 192.168.1.252 [**] /​sites/​all/​modules/​fckeditor/​fckeditor/​editor/​filemanager/​browser/​default/​connectors/​asp/​connector.asp [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003563) [**] 192.168.1.254:​34356 -> 192.168.1.252:​80
 +04/​13/​2015-17:​08:​43.050128 192.168.1.252 [**] /​sites/​all/​modules/​fckeditor/​fckeditor/​editor/​filemanager/​browser/​default/​connectors/​asp/​connector.asp [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003563) [**] 192.168.1.252:​34356 -> 192.168.1.250:​80
 +04/​13/​2015-17:​08:​43.051718 192.168.1.252 [**] /​modules/​fckeditor/​fckeditor/​editor/​filemanager/​browser/​default/​connectors/​asp/​connector.asp [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003563) [**] 192.168.1.254:​34356 -> 192.168.1.252:​80
 +04/​13/​2015-17:​08:​43.051819 192.168.1.252 [**] /​modules/​fckeditor/​fckeditor/​editor/​filemanager/​browser/​default/​connectors/​asp/​connector.asp [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003563) [**] 192.168.1.252:​34356 -> 192.168.1.250:​80
 +04/​13/​2015-17:​08:​43.054704 192.168.1.252 [**] /​class/​fckeditor/​editor/​filemanager/​browser/​default/​connectors/​asp/​connector.asp [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003563) [**] 192.168.1.254:​34356 -> 192.168.1.252:​80
 +04/​13/​2015-17:​08:​43.054727 192.168.1.252 [**] /​class/​fckeditor/​editor/​filemanager/​browser/​default/​connectors/​asp/​connector.asp [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003563) [**] 192.168.1.252:​34356 -> 192.168.1.250:​80
 +04/​13/​2015-17:​08:​43.056559 192.168.1.252 [**] /​inc/​fckeditor/​editor/​filemanager/​browser/​default/​connectors/​asp/​connector.asp [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003563) [**] 192.168.1.254:​34356 -> 192.168.1.252:​80
 +04/​13/​2015-17:​08:​43.056605 192.168.1.252 [**] /​inc/​fckeditor/​editor/​filemanager/​browser/​default/​connectors/​asp/​connector.asp [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003563) [**] 192.168.1.252:​34356 -> 192.168.1.250:​80
 +04/​13/​2015-17:​08:​43.058358 192.168.1.252 [**] /​sites/​all/​libraries/​fckeditor/​editor/​filemanager/​browser/​default/​connectors/​asp/​connector.asp [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003563) [**] 192.168.1.254:​34356 -> 192.168.1.252:​80
 +04/​13/​2015-17:​08:​43.058358 192.168.1.252 [**] /​sites/​all/​libraries/​fckeditor/​editor/​filemanager/​browser/​default/​connectors/​asp/​connector.asp [**] Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003563) [**] 192.168.1.252:​34356 -> 192.168.1.250:​80
 +</​sxh>​
 +
 +Now on Suricata let's open another log file.
 +<sxh bash>
 +tail -f /​var/​log/​suricata/​eve.json
 +</​sxh>​
 +
 +Now from another machine let's open a Scanner to the Suricata like this
 +<sxh bash>
 +nmap -sS -v -n -A 192.168.1.252 -T4
 +</​sxh>​
 +
 +In the logs we'll get something like this
 +<sxh bash>
 +{"​timestamp":"​2015-04-13T17:​11:​31.308899","​event_type":"​http","​src_ip":"​192.168.1.254","​src_port":​34461,"​dest_ip":"​192.168.1.252","​dest_port":​80,"​proto":"​TCP","​http":​{"​url":"​\/","​http_content_type":"​text\/​html","​http_method":"​GET","​protocol":"​HTTP\/​1.0","​status":"​200","​length":​177}}
 +{"​timestamp":"​2015-04-13T17:​11:​31.308910","​event_type":"​http","​src_ip":"​192.168.1.252","​src_port":​34461,"​dest_ip":"​192.168.1.250","​dest_port":​80,"​proto":"​TCP","​http":​{"​url":"​\/","​http_content_type":"​text\/​html","​http_method":"​GET","​protocol":"​HTTP\/​1.0","​status":"​200","​length":​177}}
 +{"​timestamp":"​2015-04-13T17:​11:​31.310502","​event_type":"​fileinfo","​src_ip":"​192.168.1.250","​src_port":​80,"​dest_ip":"​192.168.1.252","​dest_port":​34461,"​proto":"​TCP","​http":​{"​url":"​\/"​},"​fileinfo":​{"​filename":"​\/","​state":"​CLOSED","​stored":​false,"​size":​177}}
 +{"​timestamp":"​2015-04-13T17:​11:​31.310528","​event_type":"​fileinfo","​src_ip":"​192.168.1.252","​src_port":​80,"​dest_ip":"​192.168.1.254","​dest_port":​34461,"​proto":"​TCP","​http":​{"​url":"​\/"​},"​fileinfo":​{"​filename":"​\/","​state":"​CLOSED","​stored":​false,"​size":​177}}
 +{"​timestamp":"​2015-04-13T17:​11:​32.011592","​event_type":"​alert","​src_ip":"​192.168.1.254","​dest_ip":"​192.168.1.252","​proto":"​ICMP","​icmp_type":​8,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​32.011676","​event_type":"​alert","​src_ip":"​192.168.1.252","​dest_ip":"​192.168.1.254","​proto":"​ICMP","​icmp_type":​0,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​32.287971","​event_type":"​alert","​src_ip":"​192.168.1.254","​dest_ip":"​192.168.1.252","​proto":"​ICMP","​icmp_type":​8,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​32.288004","​event_type":"​alert","​src_ip":"​192.168.1.252","​dest_ip":"​192.168.1.254","​proto":"​ICMP","​icmp_type":​0,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​32.538840","​event_type":"​alert","​src_ip":"​192.168.1.254","​dest_ip":"​192.168.1.252","​proto":"​ICMP","​icmp_type":​8,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​32.538873","​event_type":"​alert","​src_ip":"​192.168.1.252","​dest_ip":"​192.168.1.254","​proto":"​ICMP","​icmp_type":​0,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​32.790094","​event_type":"​alert","​src_ip":"​192.168.1.254","​dest_ip":"​192.168.1.252","​proto":"​ICMP","​icmp_type":​8,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​32.790130","​event_type":"​alert","​src_ip":"​192.168.1.252","​dest_ip":"​192.168.1.254","​proto":"​ICMP","​icmp_type":​0,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​34.779427","​event_type":"​alert","​src_ip":"​192.168.1.254","​dest_ip":"​192.168.1.252","​proto":"​ICMP","​icmp_type":​8,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​34.779493","​event_type":"​alert","​src_ip":"​192.168.1.252","​dest_ip":"​192.168.1.254","​proto":"​ICMP","​icmp_type":​0,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​34.955370","​event_type":"​alert","​src_ip":"​192.168.1.254","​dest_ip":"​192.168.1.252","​proto":"​ICMP","​icmp_type":​8,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​34.955402","​event_type":"​alert","​src_ip":"​192.168.1.252","​dest_ip":"​192.168.1.254","​proto":"​ICMP","​icmp_type":​0,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​35.081111","​event_type":"​alert","​src_ip":"​192.168.1.254","​dest_ip":"​192.168.1.252","​proto":"​ICMP","​icmp_type":​8,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​35.081145","​event_type":"​alert","​src_ip":"​192.168.1.252","​dest_ip":"​192.168.1.254","​proto":"​ICMP","​icmp_type":​0,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​35.231245","​event_type":"​alert","​src_ip":"​192.168.1.254","​dest_ip":"​192.168.1.252","​proto":"​ICMP","​icmp_type":​8,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​35.231273","​event_type":"​alert","​src_ip":"​192.168.1.252","​dest_ip":"​192.168.1.254","​proto":"​ICMP","​icmp_type":​0,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​37.107218","​event_type":"​alert","​src_ip":"​192.168.1.254","​dest_ip":"​192.168.1.252","​proto":"​ICMP","​icmp_type":​8,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​37.107283","​event_type":"​alert","​src_ip":"​192.168.1.252","​dest_ip":"​192.168.1.254","​proto":"​ICMP","​icmp_type":​0,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​41.356211","​event_type":"​alert","​src_ip":"​192.168.1.254","​dest_ip":"​192.168.1.252","​proto":"​ICMP","​icmp_type":​8,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​41.356276","​event_type":"​alert","​src_ip":"​192.168.1.252","​dest_ip":"​192.168.1.254","​proto":"​ICMP","​icmp_type":​0,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​41.856659","​event_type":"​alert","​src_ip":"​192.168.1.254","​dest_ip":"​192.168.1.252","​proto":"​ICMP","​icmp_type":​8,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​41.856711","​event_type":"​alert","​src_ip":"​192.168.1.252","​dest_ip":"​192.168.1.254","​proto":"​ICMP","​icmp_type":​0,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​42.184192","​event_type":"​alert","​src_ip":"​192.168.1.254","​dest_ip":"​192.168.1.252","​proto":"​ICMP","​icmp_type":​8,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​42.184238","​event_type":"​alert","​src_ip":"​192.168.1.252","​dest_ip":"​192.168.1.254","​proto":"​ICMP","​icmp_type":​0,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​42.514244","​event_type":"​alert","​src_ip":"​192.168.1.254","​dest_ip":"​192.168.1.252","​proto":"​ICMP","​icmp_type":​8,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​42.514282","​event_type":"​alert","​src_ip":"​192.168.1.252","​dest_ip":"​192.168.1.254","​proto":"​ICMP","​icmp_type":​0,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​44.588082","​event_type":"​alert","​src_ip":"​192.168.1.254","​dest_ip":"​192.168.1.252","​proto":"​ICMP","​icmp_type":​8,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​44.588140","​event_type":"​alert","​src_ip":"​192.168.1.252","​dest_ip":"​192.168.1.254","​proto":"​ICMP","​icmp_type":​0,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​44.838373","​event_type":"​alert","​src_ip":"​192.168.1.254","​dest_ip":"​192.168.1.252","​proto":"​ICMP","​icmp_type":​8,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​44.838415","​event_type":"​alert","​src_ip":"​192.168.1.252","​dest_ip":"​192.168.1.254","​proto":"​ICMP","​icmp_type":​0,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​45.017505","​event_type":"​alert","​src_ip":"​192.168.1.254","​dest_ip":"​192.168.1.252","​proto":"​ICMP","​icmp_type":​8,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​45.017541","​event_type":"​alert","​src_ip":"​192.168.1.252","​dest_ip":"​192.168.1.254","​proto":"​ICMP","​icmp_type":​0,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​45.244572","​event_type":"​alert","​src_ip":"​192.168.1.254","​dest_ip":"​192.168.1.252","​proto":"​ICMP","​icmp_type":​8,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​45.244597","​event_type":"​alert","​src_ip":"​192.168.1.252","​dest_ip":"​192.168.1.254","​proto":"​ICMP","​icmp_type":​0,"​icmp_code":​9,"​alert":​{"​action":"​allowed","​gid":​1,"​signature_id":​2200025,"​rev":​1,"​signature":"​SURICATA ICMPv4 unknown code","​category":"","​severity":​3}}
 +{"​timestamp":"​2015-04-13T17:​11:​45.792743","​event_type":"​http","​src_ip":"​192.168.1.254","​src_port":​34475,"​dest_ip":"​192.168.1.252","​dest_port":​80,"​proto":"​TCP","​http":​{"​hostname":"​192.168.1.252","​url":"​\/","​http_user_agent":"​Mozilla\/​5.0 (compatible;​ Nmap Scripting Engine; http:​\/​\/​nmap.org\/​book\/​nse.html)","​http_content_type":"​text\/​html","​http_method":"​GET","​protocol":"​HTTP\/​1.1","​status":"​200","​length":​177}}
 +{"​timestamp":"​2015-04-13T17:​11:​45.792753","​event_type":"​http","​src_ip":"​192.168.1.252","​src_port":​34475,"​dest_ip":"​192.168.1.250","​dest_port":​80,"​proto":"​TCP","​http":​{"​hostname":"​192.168.1.252","​url":"​\/","​http_user_agent":"​Mozilla\/​5.0 (compatible;​ Nmap Scripting Engine; http:​\/​\/​nmap.org\/​book\/​nse.html)","​http_content_type":"​text\/​html","​http_method":"​GET","​protocol":"​HTTP\/​1.1","​status":"​200","​length":​177}}
 +{"​timestamp":"​2015-04-13T17:​11:​45.792766","​event_type":"​fileinfo","​src_ip":"​192.168.1.250","​src_port":​80,"​dest_ip":"​192.168.1.252","​dest_port":​34475,"​proto":"​TCP","​http":​{"​url":"​\/","​hostname":"​192.168.1.252","​http_user_agent":"​Mozilla\/​5.0 (compatible;​ Nmap Scripting Engine; http:​\/​\/​nmap.org\/​book\/​nse.html)"​},"​fileinfo":​{"​filename":"​\/","​state":"​CLOSED","​stored":​false,"​size":​177}}
 +{"​timestamp":"​2015-04-13T17:​11:​45.792771","​event_type":"​fileinfo","​src_ip":"​192.168.1.252","​src_port":​80,"​dest_ip":"​192.168.1.254","​dest_port":​34475,"​proto":"​TCP","​http":​{"​url":"​\/","​hostname":"​192.168.1.252","​http_user_agent":"​Mozilla\/​5.0 (compatible;​ Nmap Scripting Engine; http:​\/​\/​nmap.org\/​book\/​nse.html)"​},"​fileinfo":​{"​filename":"​\/","​state":"​CLOSED","​stored":​false,"​size":​177}}
 +</​sxh>​
 +
 +We can check in the Apache server too that we have a lot of connections like this.
 +<sxh bash>
 +tail -f /​var/​log/​apache2/​access.log
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​cgi-915/​c32web.exe/​GetImage?​ImageName=CustomerEmail.txt%00.pdf ​ HTTP/​1.1"​ 404 543 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003581)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​bin/​c32web.exe/​GetImage?​ImageName=CustomerEmail.txt%00.pdf ​ HTTP/​1.1"​ 404 539 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003581)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​cgi/​c32web.exe/​GetImage?​ImageName=CustomerEmail.txt%00.pdf ​ HTTP/​1.1"​ 404 539 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003581)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​mpcgi/​c32web.exe/​GetImage?​ImageName=CustomerEmail.txt%00.pdf ​ HTTP/​1.1"​ 404 541 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003581)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​cgi-bin/​c32web.exe/​GetImage?​ImageName=CustomerEmail.txt%00.pdf ​ HTTP/​1.1"​ 404 543 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003581)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​ows-bin/​c32web.exe/​GetImage?​ImageName=CustomerEmail.txt%00.pdf ​ HTTP/​1.1"​ 404 543 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003581)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​cgi-sys/​c32web.exe/​GetImage?​ImageName=CustomerEmail.txt%00.pdf ​ HTTP/​1.1"​ 404 543 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003581)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​cgi-local/​c32web.exe/​GetImage?​ImageName=CustomerEmail.txt%00.pdf ​ HTTP/​1.1"​ 404 545 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003581)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​htbin/​c32web.exe/​GetImage?​ImageName=CustomerEmail.txt%00.pdf ​ HTTP/​1.1"​ 404 541 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003581)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​cgibin/​c32web.exe/​GetImage?​ImageName=CustomerEmail.txt%00.pdf ​ HTTP/​1.1"​ 404 542 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003581)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​cgis/​c32web.exe/​GetImage?​ImageName=CustomerEmail.txt%00.pdf ​ HTTP/​1.1"​ 404 540 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003581)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​scripts/​c32web.exe/​GetImage?​ImageName=CustomerEmail.txt%00.pdf ​ HTTP/​1.1"​ 404 543 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003581)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​cgi-win/​c32web.exe/​GetImage?​ImageName=CustomerEmail.txt%00.pdf ​ HTTP/​1.1"​ 404 543 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003581)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​fcgi-bin/​c32web.exe/​GetImage?​ImageName=CustomerEmail.txt%00.pdf ​ HTTP/​1.1"​ 404 544 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003581)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​cgi-exe/​c32web.exe/​GetImage?​ImageName=CustomerEmail.txt%00.pdf ​ HTTP/​1.1"​ 404 543 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003581)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​cgi-home/​c32web.exe/​GetImage?​ImageName=CustomerEmail.txt%00.pdf ​ HTTP/​1.1"​ 404 544 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003581)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​cgi-perl/​c32web.exe/​GetImage?​ImageName=CustomerEmail.txt%00.pdf ​ HTTP/​1.1"​ 404 544 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003581)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​scgi-bin/​c32web.exe/​GetImage?​ImageName=CustomerEmail.txt%00.pdf ​ HTTP/​1.1"​ 404 544 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003581)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /sitemap.gz HTTP/​1.1"​ 404 526 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003582)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​content/​sitemap.gz HTTP/​1.1"​ 404 534 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003583)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​icons/​README HTTP/​1.1"​ 200 5375 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003584)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​localstart.asp HTTP/​1.1"​ 404 530 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003585)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​ampache/​update.php HTTP/​1.1"​ 404 534 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003586)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​ampache/​login.php HTTP/​1.1"​ 404 533 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003587)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​ampache/​docs/​README HTTP/​1.1"​ 404 535 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003588)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​cgi-bin/​webcgi/​about HTTP/​1.1"​ 404 536 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003589)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​webservices/​IlaWebServices HTTP/​1.1"​ 404 541 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003590)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​SoundBridgeStatus.html HTTP/​1.1"​ 404 537 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003591)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​CFIDE/​componentutils/​cfcexplorer.cfc HTTP/​1.1"​ 404 551 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003592)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /phone/ HTTP/​1.1"​ 404 521 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003593)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​Host/​Portals/​tabid/​19/​ctl/​Login/​portalid/​0/​Default.aspx HTTP/​1.1"​ 404 570 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003594)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​jsp-examples/​jsp2/​jspx/​textRotate.jspx?​name=<​script>​alert(111)</​script>​ HTTP/​1.1"​ 404 553 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003595)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​jsp-examples/​jsp2/​el/​implicit-objects.jsp?​foo=<​script>​alert(112)</​script>​ HTTP/​1.1"​ 404 556 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003596)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​08:​44 -0300] "GET /​jsp-examples/​jsp2/​el/​functions.jsp?​foo=<​script>​alert(113)</​script>​ HTTP/​1.1"​ 404 549 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​003597)"​
 +
 +</​sxh>​
 +
 +Now let's put the Suricata to work as IPS, let's change some informations in the suricata main file only for testing here.
 +<sxh bash>
 +vim /​etc/​suricata/​suricata.yaml
 +[...]
 +    HOME_NET: "​any"​
 +    #HOME_NET: "​[192.168.1.0/​24]"​
 +    ​
 +    EXTERNAL_NET:​ "​any"​
 +    #​EXTERNAL_NET:​ "​!$HOME_NET"​
 +</​sxh>​
 +
 +Now we need to make a back up of the rule files
 +<sxh bash>
 +cp -Rfa /​etc/​suricata/​rules ~/rules
 +</​sxh>​
 +
 +Now we need to drop some kind of attacks like this
 +<sxh bash>
 +sed -i '​s/​^alert/​drop/​g'​ /​etc/​suricata/​rules/​emerging-scan.rules
 +sed -i '​s/​^alert/​drop/​g'​ /​etc/​suricata/​rules/​emerging-web_server.rules
 +sed -i '​s/​^alert/​drop/​g'​ /​etc/​suricata/​rules/​emerging-web_specific_apps.rules
 +sed -i '​s/​^alert/​drop/​g'​ /​etc/​suricata/​rules/​emerging-web_client.rules
 +sed -i '​s/​^alert/​drop/​g'​ /​etc/​suricata/​rules/​drop.rules
 +sed -i '​s/​^alert/​drop/​g'​ /​etc/​suricata/​rules/​stream-events.rules
 +sed -i '​s/​^alert/​drop/​g'​ /​etc/​suricata/​rules/​emerging-policy.rules
 +sed -i '​s/​^alert/​drop/​g'​ /​etc/​suricata/​rules/​emerging-shellcode.rules
 +sed -i '​s/​^alert/​drop/​g'​ /​etc/​suricata/​rules/​decoder-events.rules
 +sed -i '​s/​^alert/​drop/​g'​ /​etc/​suricata/​rules/​emerging-exploit.rules
 +</​sxh>​
 +
 +Now we need to kill the suricata process like this
 +<sxh bash>
 +PSU=$(pidof suricata); ​ kill -9 $PSU
 +</​sxh>​
 +
 +Now we need to start the suricata in the inline mode (IPS) like this
 +<sxh bash>
 +suricata -c /​etc/​suricata/​suricata.yaml -q 0 -D
 +</​sxh>​
 +
 +Now we need to redirect all connection in the port 80 to the queue afterwards the Suricata will process all of them and decide what will happen with the packet.
 +<sxh bash>
 +iptables -P FORWARD DROP
 +iptables -A FORWARD -p tcp --dport 80 -j NFQUEUE
 +iptables -A FORWARD -p tcp --sport 80 -j NFQUEUE
 +</​sxh>​
 +
 +Now we can open the logs of the suricata like this
 +<sxh bash>
 +tail -f /​var/​log/​suricata/​fast.log /​var/​log/​suricata/​drop.log
 +</​sxh>​
 +
 +Now we need to open an test attack from another machine against the Suricata like this.
 +<sxh bash>
 +nikto -h 192.168.1.252 -C all
 +</​sxh>​
 +
 +Now we can check in the Suricata log files like this
 +<sxh bash>
 +tail -f /​var/​log/​suricata/​fast.log /​var/​log/​suricata/​drop.log
 +==> /​var/​log/​suricata/​fast.log <==
 +04/​13/​2015-17:​21:​44.772236 ​ [Drop] [**] [1:​2002677:​13] ET SCAN Nikto Web App Scan in Progress [**] [Classification:​ Web Application Attack] [Priority: 1] {TCP} 192.168.1.254:​34840 -> 192.168.1.250:​80
 +
 +==> /​var/​log/​suricata/​drop.log <==
 +04/​13/​2015-17:​21:​44.772236:​ IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=200 TOS=0x00 TTL=63 ID=7455 PROTO=TCP SPT=34840 DPT=80 SEQ=812639632 ACK=3464940515 WINDOW=262 ACK PSH RES=0x00 URGP=0
 +04/​13/​2015-17:​21:​47.918031:​ IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=586 TOS=0x00 TTL=63 ID=47579 PROTO=TCP SPT=80 DPT=34840 SEQ=3464939981 ACK=812639632 WINDOW=2346 ACK PSH RES=0x00 URGP=0
 +04/​13/​2015-17:​21:​54.774944:​ IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=200 TOS=0x00 TTL=63 ID=23285 PROTO=TCP SPT=34845 DPT=80 SEQ=1536905794 ACK=3348384629 WINDOW=229 ACK PSH RES=0x00 URGP=0
 +04/​13/​2015-17:​21:​55.772148:​ IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34845 SEQ=3348384628 ACK=1536905794 WINDOW=14480 SYN ACK RES=0x00 URGP=0
 +04/​13/​2015-17:​22:​04.779775:​ IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=202 TOS=0x00 TTL=63 ID=49545 PROTO=TCP SPT=34858 DPT=80 SEQ=1308021760 ACK=1100202517 WINDOW=229 ACK PSH RES=0x00 URGP=0
 +04/​13/​2015-17:​22:​05.972261:​ IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34858 SEQ=1100202516 ACK=1308021760 WINDOW=14480 SYN ACK RES=0x00 URGP=0
 +04/​13/​2015-17:​22:​14.790753:​ IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=202 TOS=0x00 TTL=63 ID=3168 PROTO=TCP SPT=34866 DPT=80 SEQ=3727036513 ACK=3268194257 WINDOW=229 ACK PSH RES=0x00 URGP=0
 +04/​13/​2015-17:​22:​16.171470:​ IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34866 SEQ=3268194256 ACK=3727036513 WINDOW=14480 SYN ACK RES=0x00 URGP=0
 +04/​13/​2015-17:​22:​24.795966:​ IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=199 TOS=0x00 TTL=63 ID=50075 PROTO=TCP SPT=34878 DPT=80 SEQ=3459769758 ACK=1952858872 WINDOW=229 ACK PSH RES=0x00 URGP=0
 +04/​13/​2015-17:​22:​25.971993:​ IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34878 SEQ=1952858871 ACK=3459769758 WINDOW=14480 SYN ACK RES=0x00 URGP=0
 +04/​13/​2015-17:​22:​34.808455:​ IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=199 TOS=0x00 TTL=63 ID=57943 PROTO=TCP SPT=34885 DPT=80 SEQ=2584071583 ACK=1252079019 WINDOW=229 ACK PSH RES=0x00 URGP=0
 +04/​13/​2015-17:​22:​36.172188:​ IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34885 SEQ=1252079018 ACK=2584071583 WINDOW=14480 SYN ACK RES=0x00 URGP=0
 +
 +==> /​var/​log/​suricata/​fast.log <==
 +04/​13/​2015-17:​22:​44.827179 ​ [Drop] [**] [1:​2002677:​13] ET SCAN Nikto Web App Scan in Progress [**] [Classification:​ Web Application Attack] [Priority: 1] {TCP} 192.168.1.254:​34894 -> 192.168.1.250:​80
 +
 +==> /​var/​log/​suricata/​drop.log <==
 +04/​13/​2015-17:​22:​44.827179:​ IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=201 TOS=0x00 TTL=63 ID=51878 PROTO=TCP SPT=34894 DPT=80 SEQ=675935592 ACK=4002722971 WINDOW=262 ACK PSH RES=0x00 URGP=0
 +04/​13/​2015-17:​22:​47.995799:​ IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=580 TOS=0x00 TTL=63 ID=5199 PROTO=TCP SPT=80 DPT=34894 SEQ=4002722443 ACK=675935592 WINDOW=2346 ACK PSH RES=0x00 URGP=0
 +04/​13/​2015-17:​22:​54.829643:​ IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=201 TOS=0x00 TTL=63 ID=26662 PROTO=TCP SPT=34897 DPT=80 SEQ=3048942461 ACK=420962227 WINDOW=229 ACK PSH RES=0x00 URGP=0
 +04/​13/​2015-17:​22:​56.372487:​ IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34897 SEQ=420962226 ACK=3048942461 WINDOW=14480 SYN ACK RES=0x00 URGP=0
 +04/​13/​2015-17:​23:​04.838129:​ IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=200 TOS=0x00 TTL=63 ID=13814 PROTO=TCP SPT=34900 DPT=80 SEQ=292845803 ACK=2369351393 WINDOW=229 ACK PSH RES=0x00 URGP=0
 +04/​13/​2015-17:​23:​06.172247:​ IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34900 SEQ=2369351392 ACK=292845803 WINDOW=14480 SYN ACK RES=0x00 URGP=0
 +04/​13/​2015-17:​23:​14.849031:​ IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=200 TOS=0x00 TTL=63 ID=10016 PROTO=TCP SPT=34909 DPT=80 SEQ=2092855804 ACK=2654305631 WINDOW=229 ACK PSH RES=0x00 URGP=0
 +04/​13/​2015-17:​23:​15.972834:​ IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34909 SEQ=2654305630 ACK=2092855804 WINDOW=14480 SYN ACK RES=0x00 URGP=0
 +04/​13/​2015-17:​23:​24.859782:​ IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=200 TOS=0x00 TTL=63 ID=37382 PROTO=TCP SPT=34912 DPT=80 SEQ=4239520425 ACK=1204384680 WINDOW=229 ACK PSH RES=0x00 URGP=0
 +04/​13/​2015-17:​23:​26.372347:​ IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34912 SEQ=1204384679 ACK=4239520425 WINDOW=14480 SYN ACK RES=0x00 URGP=0
 +04/​13/​2015-17:​23:​34.867725:​ IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=200 TOS=0x00 TTL=63 ID=20552 PROTO=TCP SPT=34917 DPT=80 SEQ=821639733 ACK=3031914370 WINDOW=229 ACK PSH RES=0x00 URGP=0
 +04/​13/​2015-17:​23:​36.172463:​ IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34917 SEQ=3031914369 ACK=821639733 WINDOW=14480 SYN ACK RES=0x00 URGP=0
 +
 +==> /​var/​log/​suricata/​fast.log <==
 +04/​13/​2015-17:​23:​44.916071 ​ [Drop] [**] [1:​2002677:​13] ET SCAN Nikto Web App Scan in Progress [**] [Classification:​ Web Application Attack] [Priority: 1] {TCP} 192.168.1.254:​34927 -> 192.168.1.250:​80
 +
 +==> /​var/​log/​suricata/​drop.log <==
 +04/​13/​2015-17:​23:​44.916071:​ IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=201 TOS=0x00 TTL=63 ID=37617 PROTO=TCP SPT=34927 DPT=80 SEQ=2943871269 ACK=1547692160 WINDOW=262 ACK PSH RES=0x00 URGP=0
 +04/​13/​2015-17:​23:​48.076577:​ IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=580 TOS=0x00 TTL=63 ID=4861 PROTO=TCP SPT=80 DPT=34927 SEQ=1547691632 ACK=2943871269 WINDOW=2346 ACK PSH RES=0x00 URGP=0
 +04/​13/​2015-17:​23:​54.927989:​ IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=201 TOS=0x00 TTL=63 ID=4771 PROTO=TCP SPT=34930 DPT=80 SEQ=1683975337 ACK=473377258 WINDOW=229 ACK PSH RES=0x00 URGP=0
 +04/​13/​2015-17:​23:​56.172266:​ IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34930 SEQ=473377257 ACK=1683975337 WINDOW=14480 SYN ACK RES=0x00 URGP=0
 +04/​13/​2015-17:​24:​04.939915:​ IN= OUT= SRC=192.168.1.254 DST=192.168.1.250 LEN=200 TOS=0x00 TTL=63 ID=27939 PROTO=TCP SPT=34933 DPT=80 SEQ=539880178 ACK=2700461480 WINDOW=229 ACK PSH RES=0x00 URGP=0
 +04/​13/​2015-17:​24:​06.372664:​ IN= OUT= SRC=192.168.1.250 DST=192.168.1.254 LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34933 SEQ=2700461479 ACK=539880178 WINDOW=14480 SYN ACK RES=0x00 URGP=0
 +</​sxh>​
 +
 +As we can see here in the fast.log we have the [Drop] that indicates the packet was dropped and won't sent to the Apache Server in the drop.log we have the connections that were dropped.
 +
 +
 +Whether we check the apache log files now we will get a little access unlike before without the IPS.
 +<sxh bash>
 +tail -f /​var/​log/​apache2/​access.log ​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​22:​45 -0300] "GET /​PIzR7b1c.el HTTP/​1.1"​ 404 527 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​map_codes)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​22:​45 -0300] "GET /​PIzR7b1c.axd HTTP/​1.1"​ 404 528 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​map_codes)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​23:​45 -0300] "GET /​PIzR7b1c.jse HTTP/​1.1"​ 404 529 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​map_codes)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​23:​45 -0300] "GET /​PIzR7b1c.tmp HTTP/​1.1"​ 404 528 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​map_codes)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​23:​45 -0300] "GET /​PIzR7b1c.dpgs HTTP/​1.1"​ 404 529 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​map_codes)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​23:​45 -0300] "GET /​PIzR7b1c.mdb HTTP/​1.1"​ 404 528 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​map_codes)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​24:​46 -0300] "GET /​PIzR7b1c.shtml HTTP/​1.1"​ 404 531 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​map_codes)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​24:​46 -0300] "GET /​PIzR7b1c.cfg HTTP/​1.1"​ 404 528 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​map_codes)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​24:​46 -0300] "GET /​PIzR7b1c.bas:​ShowVolume HTTP/​1.1"​ 404 539 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​map_codes)"​
 +192.168.1.252 - - [13/​Apr/​2015:​17:​24:​46 -0300] "GET /​PIzR7b1c.chl+ HTTP/​1.1"​ 404 529 "​-"​ "​Mozilla/​4.75 (Nikto/​2.1.4) (Evasions:​None) (Test:​map_codes)"​
 +</​sxh>​
 +
 +Testing ddos.
 +
 +**Note:** Be aware the it can shutdown the switch or router.
 +
 +We can test the syn flood with the following commands
 +<sxh bash>
 +t50 192.168.1.252 --flood -S --turbo --dport 80
 +</​sxh>​
 +
 +or we can use the follow command
 +<sxh bash>
 +hping3 -S 192.168.1.252 -p 80 --flood
 +</​sxh>​
 +
 +===== Installing and Configuring the Barnyard2 =====
 +
 +Barnyard2 will feed the Snorby database with the logs let's install this guy need to install on the Suricata Server.
 +
 +We need to fetch the tarball and decompress it.
 +
 +<sxh bash>
 +cd /usr/src
 +wget -c http://​wiki.douglasqsantos.com.br/​Downloads/​ips/​barnyard2-1.9.tar.gz
 +tar -zxf barnyard2-1.9.tar.gz && cd barnyard2-1.9
 +</​sxh>​
 +
 +Now we need to configure the packet to work with <​nowiki>​MySQL</​nowiki>​
 +
 +<sxh bash>
 +./configure --with-mysql --with-mysql-libraries=/​usr/​lib/​x86_64-linux-gnu/​ --sysconfdir=/​etc/​suricata --prefix=/​usr --localstatedir=/​var
 +</​sxh>​
 +
 +Now let's compile it.
 +
 +<sxh bash>
 +make && make install clean
 +</​sxh>​
 +
 +Now we need to create the barnyard log directory like this
 +<sxh bash>
 +mkdir /​var/​log/​barnyard2
 +</​sxh>​
 +
 +Now let's make some changes in barnyard configuration file
 +<sxh bash>
 +vim /​etc/​suricata/​barnyard2.conf
 +[...]
 +config reference_file: ​     /​etc/​suricata/​rules/​reference.config
 +config classification_file:​ /​etc/​suricata/​rules/​classification.config
 +config gen_file: ​           /​etc/​suricata/​rules/​gen-msg.map
 +config sid_file: ​           /​etc/​suricata/​rules/​sid-msg.map
 +[...]
 +config hostname: ​       ips01
 +config interface: ​      eth0
 +[...]
 +output alert_fast
 +#Let's input this line below in the end of the file, change the values whether you need.
 +output database: log, mysql, user=snorby password=senha dbname=snorby host=192.168.1.251
 +</​sxh>​
 +
 +Now we need to kill the suricata
 +<sxh bash>
 +PSU=$(pidof suricata); ​ kill -9 $PSU
 +</​sxh>​
 +
 +Now let's start the barnyard2 and the suricata daemons.
 +<sxh bash>
 +suricata -c /​etc/​suricata/​suricata.yaml -q 0 -D
 +barnyard2 -c /​etc/​suricata/​barnyard2.conf -d /​var/​log/​suricata -f unified2.alert -w /​var/​log/​suricata/​suricata.waldo -D
 +</​sxh>​
 +
 +====== Configuring the Scripts ======
 +
 +Now we need to kill the process of the suricata and barnyard2 like this
 +<sxh bash>
 +PSU=$(pidof suricata); ​ kill -9 $PSU
 +PSU=$(pidof barnyard2); ​ kill -9 $PSU
 +</​sxh>​
 +
 +Now we need to create the scripts to work with <​nowiki>​SystemV</​nowiki>​ and enable the suricata and barnyard to launch on boot time.
 +<sxh bash>
 +vim /​etc/​init.d/​suribarn
 +#!/bin/bash
 +### BEGIN INIT INFO
 +# Provides: suribarn
 +# Required-Start: ​      ​$remote_fs $syslog
 +# Required-Stop: ​       $remote_fs $syslog
 +# Default-Start: ​       2 3 4 5
 +# Default-Stop: ​        0 1 6
 +# Short-Description:​ Bring up/Down Suricata and Barnyard
 +### END INIT INFO
 +### VARIAVEIS UTILIZADAS NO SCRIPT ###
 +BARNYARD="/​usr/​bin/​barnyard2"​
 +SURICATA="/​usr/​bin/​suricata"​
 +SURICATA_CONF="/​etc/​suricata/​suricata.yaml"​
 +SURICATA_LOG="/​var/​log/​suricata"​
 +BARNYARD_CONF="/​etc/​suricata/​barnyard2.conf"​
 +BARNYARD_ALERT="​unified2.alert"​
 +WALDO="/​var/​log/​suricata/​suricata.waldo"​
 +KILL="/​bin/​kill"​
 +RED="​\033[01;​31m"​
 +GREEN="​\033[01;​32m"​
 +YELLOW="​\033[01;​33m"​
 +CLOSE="​\033[m"​
 +
 +case $1 in
 +        start)
 +        echo -e "​${GREEN} Starting Suricata !!! ${CLOSE}"​
 +        ${SURICATA} -c ${SURICATA_CONF} -q 0 -D >> /dev/null
 +        echo -e "​${GREEN} Starting Barnyard2 !!! ${CLOSE}"​
 +        ${BARNYARD} -c ${BARNYARD_CONF} -d ${SURICATA_LOG} -f ${BARNYARD_ALERT} -w ${WALDO} -D >> /dev/null
 +        ;;
 +        stop)
 +        PSU=$(pidof suricata);
 +        if [ ! -z ${PSU} ];then
 +         echo -e "​${RED} Stopping Suricata !!! ${CLOSE}"​
 +         kill -9 $PSU
 +        else
 +           echo -e "​${RED} Suricata is not running!!!${CLOSE}"​
 +        fi
 +
 +        PBA=$(pidof barnyard2);
 +        if [ ! -z ${PBA} ];then
 +         echo -e "​${RED} Stopping Barnyard2 !!! ${CLOSE}"​
 +         kill -9 $PBA
 +        else
 +           echo -e "​${RED} Barnyard2 is not running!!!${CLOSE}"​
 +        fi
 +        ;;
 +   ​restart)
 +                $0 stop
 +                $0 start
 +        ;;
 +   ​status)
 +        PSU=$(pidof suricata);
 +        if [ ! -z ${PSU} ];then
 +         echo -e "​${YELLOW} Suricata is running with PID: ${GREEN} $PSU ${CLOSE} ${CLOSE}"​
 +        else
 +           echo -e "​${RED} Suricata is not running!!!${CLOSE}"​
 +        fi
 +
 +        PBA=$(pidof barnyard2);
 +        if [ ! -z ${PSU} ];then
 +         echo -e "​${YELLOW} Barnyard2 is running with PID: ${GREEN} $PBA ${CLOSE} ${CLOSE}"​
 +        else
 +           echo -e "​${RED} Barnyard2 is not running!!! ${CLOSE}"​
 +        fi
 +        ;;
 +        *)
 +                echo -e "​${RED} usage: $0 (start|stop|restart|status) ${CLOSE}"​
 +        ;;
 +esac
 +</​sxh>​
 +
 +Now we need to give the execution permission to our script
 +<sxh bash>
 +chmod +x /​etc/​init.d/​suribarn
 +</​sxh>​
 +
 +Now we need to insert this service to be launched in the boot time.
 +<sxh bash>
 +insserv -f -v suribarn
 +</​sxh>​
 +
 +
 +Now we need to create the directory that will store all the scripts files like this
 +<sxh bash>
 +mkdir /​etc/​firewall
 +</​sxh>​
 +
 +
 +Now let's create the firewall script ​
 +<sxh bash>
 +vim /​etc/​init.d/​rc.firewall
 +#!/bin/sh
 +#​-------------------------------------------------#​
 +# Author: Douglas Quintiliano dos Santos ​          
 +# Date: 14/04/2015
 +#​-------------------------------------------------#​
 +### BEGIN INIT INFO
 +# Provides: ​            ​rc.firewall
 +# Required-Start: ​      ​$remote_fs $syslog
 +# Required-Stop: ​       $remote_fs $syslog
 +# Default-Start: ​       2 3 4 5
 +# Default-Stop: ​        
 +# Short-Description: ​   Firewall
 +### END INIT INFO
 +
 +#Load the Variables
 +. /​etc/​firewall/​variables
 +
 +case $1 in 
 +  start)
 +    echo "​${GREEN}[ ​        ​Iniciando Firewall ​       ]${CLOSE}"​
 +    . /​etc/​firewall/​firewall-start
 +    echo "​${GREEN}[ ​        ​Firewall Iniciado ​        ​]${CLOSE}"​
 +
 +  ;;
 +  stop)
 +   echo "​${RED}[ ​        ​Parando Firewall ...      ]${CLOSE}";​
 +   . /​etc/​firewall/​firewall-stop
 +   echo "​${RED}[ ​        ​Firewall Parado ​          ] ${CLOSE}";​
 +  ;;
 +  restart)
 +     $0 stop
 +     $0 start
 +   ;;
 +
 +  *)
 +   ​echo ​ "​${RED}Valid Options:​(start|stop|restart)${CLOSE}"​
 +  ;;
 +esac
 +</​sxh>​
 +Now let's create the firewall-start script file
 +<sxh bash>
 +vim /​etc/​firewall/​firewall-start
 +#Load the Variables
 +. /​etc/​firewall/​variables
 +
 +### Loading some modules
 +${MODPROBE} ip_conntrack
 +${MODPROBE} ip_conntrack_ftp
 +${MODPROBE} ip_nat_ftp
 +
 +### Adjusting some variables
 +echo 1000000 > /​sys/​module/​nf_conntrack/​parameters/​hashsize
 +echo 1 > ${PSNIV4}/​tcp_syncookies
 +echo 1 > ${PSNIV4}/​tcp_timestamps
 +echo 1 > ${PSNIV4}/​ip_forward
 +echo 0 > ${PSNN}/​nf_conntrack_tcp_loose
 +echo 2000000 > ${PSNN}/​nf_conntrack_max
 +for END in ${PSNIV4}/​conf/​*/​rp_filter ; do echo 1 > ${END} ; done
 +echo 0 > ${PSNIV4}/​icmp_echo_ignore_all
 +echo 1 > ${PSNIV4}/​icmp_echo_ignore_broadcasts
 +for END in ${PSNIV6}/​conf/​*/​disable_ipv6 ; do echo 1 > ${END} ; done
 +echo 0 > ${PSNN}/​nf_conntrack_helper
 +
 +### Cleaning up the interface
 +${ETHTOOL} -K ${INT_LAN} tx off
 +${ETHTOOL} -K ${INT_LAN} tso off
 +${ETHTOOL} -K ${INT_LAN} gro off
 +${ETHTOOL} -K ${INT_LAN} rxvlan off
 +# ${ETHTOOL} -K ${INT_LAN} txvlan off
 +
 +### Cleaning up
 +${IPTABLES} -t filter -F
 +${IPTABLES} -t filter -X
 +${IPTABLES} -t nat -F
 +${IPTABLES} -t nat -X
 +${IPTABLES} -t raw -F
 +${IPTABLES} -t raw -X
 +
 +### ALLOWING LOOPBACK
 +${IPTABLES} -A INPUT -s 127.0.0.1/​32 -j ACCEPT
 +
 +### INPUT
 +${IPTABLES} -P INPUT DROP
 +${IPTABLES} -t filter -A INPUT -m state --state INVALID -j DROP
 +${IPTABLES} -A INPUT -f -j DROP
 +
 +### Allowing access to SSH
 +${IPTABLES} -t filter -A INPUT -p tcp --dport ${SSH_PORT} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -t filter -A INPUT -p tcp --sport ${SSH_PORT} -j NFQUEUE ${SURICATA}
 +
 +### ALLOWING ACCESS FROM LAN
 +${IPTABLES} -A INPUT -s ${LAN_NETWORK} -j ACCEPT ${COM} "​ACCESS FROM LAN"
 +${IPTABLES} -A OUTPUT -d ${LAN_NETWORK} -j ACCEPT ${COM} "​ACCESS FROM LAN"
 +
 +### NAT
 +${PRE_EXT} -d ${EXT_F252} ${TCP} --dport ${HTTP_PORT} -j DNAT --to ${APACHE}
 +${POS_EXT} -s ${LAN_NETWORK} -j MASQUERADE
 +
 +
 +### FORWARD
 +${IPTABLES} -P FORWARD DROP
 +${IPTABLES} -t filter -A FORWARD -m state --state INVALID -j DROP
 +${IPTABLES} -A FORWARD -f -j DROP
 +${IPTABLES} -A FORWARD ${TCP} --dport ${HTTP_PORT} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD ${TCP} --sport ${HTTP_PORT} -j NFQUEUE ${SURICATA}
 +</​sxh>​
 +
 +Now we need to create the firewall-stop script like this
 +<sxh bash>
 +vim /​etc/​firewall/​firewall-stop ​
 +### Loading variables
 +. /​etc/​firewall/​variables
 + 
 +### Cleaning up the rules
 +${IPTABLES} -t filter -F
 +${IPTABLES} -t filter -X
 +${IPTABLES} -t raw -F
 +${IPTABLES} -t raw -X
 +${IPTABLES} -P INPUT ACCEPT
 +${IPTABLES} -P FORWARD ACCEPT
 +</​sxh>​
 +
 +Now we need to create the variables file
 +<sxh bash>
 +vim /​etc/​firewall/​variables
 +### Colors used
 +GREY="​\033[01;​30m"​
 +RED="​\033[01;​31m"​
 +GREEN="​\033[01;​32m"​
 +YELLOW="​\033[01;​33m"​
 +BLUE="​\033[01;​34m"​
 +PURPLE="​\033[01;​35m"​
 +CYAN="​\033[01;​36m"​
 +WHITE="​\033[01;​37m"​
 +CLOSE="​\033[m"​
 +
 +### path of the ipv4 on the kernel
 +PSNIV4="/​proc/​sys/​net/​ipv4"​
 +PSNIV6="/​proc/​sys/​net/​ipv6"​
 +PSNN="/​proc/​sys/​net/​netfilter"​
 +
 +## Commands
 +IPTABLES="/​sbin/​iptables"​
 +MODPROBE="/​sbin/​modprobe"​
 +ETHTOOL="/​sbin/​ethtool"​
 +
 +## NETWORKS
 +LAN_NETWORK="​192.168.1.0/​24"​
 +
 +## INTERFACES
 +INT_LAN="​eth0"​
 +INT_WAN="​eth0"​
 +
 +## EXTERNAL IP
 +EXT_F252="​192.168.1.252"​
 +
 +## SERVERS
 +APACHE="​192.168.1.250"​
 +
 +## PORTS
 +BACULA_PORT="​9102"​
 +ZABBIX_PORT="​10050"​
 +WTS_PORT="​3389"​
 +SSH_PORT="​22022"​
 +HTTP_PORT="​80"​
 +HTTP_PORTS="​80,​443"​
 +HTTPS_PORT="​443"​
 +WEB_PORTS="​80,​443,​3306"​
 +DNS_PORT="​53"​
 +
 +## ALIAS
 +PRE_EXT="​${IPTABLES} -t nat -A PREROUTING -i ${INT_WAN} "
 +POS_EXT="​${IPTABLES} -t nat -A POSTROUTING -o ${INT_WAN} "
 +COM="​-m comment --comment"​
 +TCP="​-p tcp -m tcp"
 +UDP="​-p udp -m udp"
 +ICMP="​-p icmp --icmp-type"​
 +LIMIT="​-m limit --limit"​
 +DMULTIPORT="​-m multiport --dports"​
 +SMULTIPORT="​-m multiport --sports"​
 +LOG="​LOG --log-prefix"​
 +LOG_LEV="​--log-level info"
 +SURICATA="​--queue-num 0"
 +</​sxh>​
 +
 +Now we need to set up the execution permission to our script like this
 +<sxh bash>
 +chmod +x /​etc/​init.d/​rc.firewall
 +</​sxh>​
 +
 +Now we need to enable our new service like this
 +<sxh bash>
 +insserv -f -v rc.firewall
 +</​sxh>​
 +
 +**Note:** Be aware that when you start the service yours sshd connection will be shutdown because we need to make sure that all connection on this port pass by suricata.
 +
 +Now we need to start the service like this
 +<sxh bash>
 +/​etc/​init.d/​rc.firewall restart
 +</​sxh>​
 +
 +====== Sample FW ======
 +
 +Here let's get one sample of production
 +
 +Let's take a look at variables
 +<sxh bash>
 +vim /​etc/​firewall/​variables ​
 +### VARIABLES
 +
 +### PATH
 +PSNI="/​proc/​sys/​net/​ipv4"​
 +PSNN="/​proc/​sys/​net/​netfilter"​
 +
 +### COMMANDS
 +MODPROBE="/​sbin/​modprobe"​
 +ETHTOOL="/​sbin/​ethtool"​
 +IPTABLES="/​sbin/​iptables"​
 +
 +### NETWORKS
 +LAN_NETWORK="​10.23.0.0/​24"​
 +
 +### SERVERS
 +ZABBIX="​10.23.0.117"​
 +BACULA="​10.23.0.198"​
 +WAPP01="​10.23.0.247"​
 +KACE_INT="​172.33.0.194"​
 +KACE_EXT="​200.200.200.34"​
 +EXT_FTP01="​200.200.200.46"​
 +DMZ_FTP01="​10.23.0.147"​
 +DMZ_FTP02="​10.23.0.246"​
 +DMZ_HTTP01="​10.23.0.143"​
 +DMZ_HTTP02="​10.23.0.247"​
 +
 +## EXTERNAL IP
 +EXT_F10="​177.177.177.10"​
 +EXT_F14="​177.177.177.14"​
 +
 +### PORTS
 +BACULA_PORT="​9102"​
 +ZABBIX_PORT="​10050"​
 +DEV_PORT="​2000"​
 +WTS_PORT="​3389"​
 +SSH_PORT="​22022"​
 +VOIP_TCP_PORTS="​5060:​5061"​
 +VOIP_UDP_PORTS="​5040:​5081,​10000:​20000"​
 +KACE_PORTS="​80,​139,​443,​445,​52230"​
 +FTP_PORTS="​20,​21,​12000:​12100"​
 +HTTP_PORT="​80"​
 +HTTP_PORTS="​80,​443"​
 +HTTPS_PORT="​443"​
 +WEB_PORTS="​80,​443,​3306"​
 +DNS_PORT="​53"​
 +
 +### ALIAS
 +PRE_EXT="​${IPTABLES} -t nat -A PREROUTING -i eno2 "
 +POS_EXT="​${IPTABLES} -t nat -A POSTROUTING -o eno2 "
 +COM="​-m comment --comment"​
 +TCP="​-p tcp -m tcp"
 +UDP="​-p udp -m udp"
 +ICMP="​-p icmp --icmp-type"​
 +LIMIT="​-m limit --limit"​
 +DMULTIPORT="​-m multiport --dports"​
 +SMULTIPORT="​-m multiport --sports"​
 +LOG="​LOG --log-prefix"​
 +LOG_LEV="​--log-level info"
 +SURICATA="​--queue-num 0"
 +</​sxh>​
 +
 +Let's take a look at firewall-start
 +<sxh bash>
 +vim /​etc/​firewall/​firewall-start ​
 +#!/bin/bash
 +### Loading variables
 +. /​etc/​firewall/​variables
 +
 +### Loading some modules
 +${MODPROBE} ip_conntrack
 +${MODPROBE} ip_conntrack_ftp
 +${MODPROBE} ip_nat_ftp
 +
 +### Adjusting some variables
 +echo 1000000 > /​sys/​module/​nf_conntrack/​parameters/​hashsize
 +echo 1 > ${PSNI}/​tcp_syncookies
 +echo 1 > ${PSNI}/​tcp_timestamps
 +echo 1 > ${PSNI}/​ip_forward
 +echo 0 > ${PSNN}/​nf_conntrack_tcp_loose
 +echo 2000000 > ${PSNN}/​nf_conntrack_max
 +for END in ${PSNI}/​conf/​*/​rp_filter ; do echo 1 > ${END} ; done
 +echo 0 > ${PSNI}/​icmp_echo_ignore_all
 +echo 1 > ${PSNI}/​icmp_echo_ignore_broadcasts
 +PSNI=/​proc/​sys/​net/​ipv6
 +for END in ${PSNI}/​conf/​*/​disable_ipv6 ; do echo 1 > ${END} ; done
 +## IF ENABLE THE VARIABLE BELOW THE NAT DOES NOT WORK PROPERLY AND FTP DOESNT WORK IN EXPLORER OR NAUTILUS
 +#echo 0 > ${PSNN}/​nf_conntrack_helper
 +
 +### Cleaning up the interface
 +${ETHTOOL} -K eno1 tx off
 +${ETHTOOL} -K eno1 tso off
 +${ETHTOOL} -K eno1 gro off
 +${ETHTOOL} -K eno1 rxvlan off
 +${ETHTOOL} -K eno1 txvlan off
 +
 +${ETHTOOL} -K eno2 tx off
 +${ETHTOOL} -K eno2 tso off
 +${ETHTOOL} -K eno2 gro off
 +${ETHTOOL} -K eno2 rxvlan off
 +${ETHTOOL} -K eno2 txvlan off
 +
 +
 +### Cleaning up
 +${IPTABLES} -t filter -F
 +${IPTABLES} -t filter -X
 +${IPTABLES} -t nat -F
 +${IPTABLES} -t nat -X
 +${IPTABLES} -t raw -F
 +${IPTABLES} -t raw -X
 +
 +### ALLOWING LOOPBACK
 +${IPTABLES} -A INPUT -s 127.0.0.1/​32 -j ACCEPT
 +
 +## Given more priority to VOIP
 +${IPTABLES} -t mangle -A OUTPUT -p udp -j DSCP --set-dscp-class EF
 +${IPTABLES} -t mangle -A FORWARD -p udp -j DSCP --set-dscp-class EF
 +
 +### INPUT
 +${IPTABLES} -P INPUT DROP
 +${IPTABLES} -t filter -A INPUT -m state --state INVALID -j DROP
 +${IPTABLES} -A INPUT -f -j DROP
 +${IPTABLES} -A INPUT -p tcp -m state --state ESTABLISHED,​RELATED -j NFQUEUE ${SURICATA}
 +
 +### FORWARD
 +${IPTABLES} -P FORWARD DROP
 +${IPTABLES} -t filter -A FORWARD -m state --state INVALID -j DROP
 +${IPTABLES} -A FORWARD -f -j DROP
 +${IPTABLES} -A FORWARD -p tcp -m state --state ESTABLISHED,​RELATED -j NFQUEUE ${SURICATA}
 +
 +
 +### Allowing access to SSH
 +${IPTABLES} -t filter -A INPUT -p tcp --dport ${SSH_PORT} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -t filter -A INPUT -p tcp --sport ${SSH_PORT} -j NFQUEUE ${SURICATA}
 +
 +### DEV ACCESS TO WTS
 +${PRE_EXT} -d ${EXT_F10} -p tcp --dport ${DEV_PORT} -j DNAT --to ${WAPP01}:​${WTS_PORT} ${COM} "Joel access to WTS"
 +${POS_EXT} -d ${WAPP01} ${TCP} --dport ${WTS_PORT} -j SNAT --to ${EXT_F10}:​${DEV_PORT} ${COM} "Joel access to WTS"
 +${IPTABLES} -t filter -A FORWARD ${TCP} ${SMULTIPORT} ${DEV_PORT},​${WTS_PORT} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -t filter -A FORWARD ${TCP} ${DMULTIPORT} ${DEV_PORT},​${WTS_PORT} -j NFQUEUE ${SURICATA}
 +
 +### ALLOWING VOIP
 +${IPTABLES} -A FORWARD ${TCP} ${DMULTIPORT} ${VOIP_TCP_PORTS} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD ${TCP} ${SMULTIPORT} ${VOIP_TCP_PORTS} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD ${UDP} ${DMULTIPORT} ${VOIP_UDP_PORTS} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD ${UDP} ${SMULTIPORT} ${VOIP_UDP_PORTS} -j NFQUEUE ${SURICATA}
 +
 +### ALLOWING KACE
 +${IPTABLES} -A FORWARD -s ${LAN_NETWORK} -d ${KACE_INT} ${TCP} ${DMULTIPORT} ${KACE_PORTS} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD -s ${LAN_NETWORK} -d ${KACE_INT} ${TCP} ${SMULTIPORT} ${KACE_PORTS} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD -s ${LAN_NETWORK} -d ${KACE_EXT} ${TCP} ${DMULTIPORT} ${KACE_PORTS} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD -s ${LAN_NETWORK} -d ${KACE_EXT} ${TCP} ${SMULTIPORT} ${KACE_PORTS} -j NFQUEUE ${SURICATA}
 +
 +### ALLOWING ZABBIX
 +${IPTABLES} -A INPUT  ${TCP} --dport ${ZABBIX_PORT} -s ${ZABBIX} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A OUTPUT ​ ${TCP} --sport ${ZABBIX_PORT} -d ${ZABBIX} -j NFQUEUE ${SURICATA}
 +
 +### ALLOWING BACULA
 +${IPTABLES} -A INPUT ${TCP} --dport ${BACULA_PORT} -s ${BACULA} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A OUTPUT ${TCP} --sport ${BACULA_PORT} -d ${BACULA} -j NFQUEUE ${SURICATA}
 +
 +
 +### ALLOWING FTP
 +${IPTABLES} -A FORWARD -d ${EXT_FTP01} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD -s ${EXT_FTP01} -j NFQUEUE ${SURICATA}
 +
 +### ALLOWING FTP 2
 +${PRE_EXT} -d ${EXT_F10} ${TCP} ${DMULTIPORT} ${FTP_PORTS} -j DNAT --to ${DMZ_FTP01} ${COM} "FTP VARIAVEIS"​
 +${IPTABLES} -A FORWARD -s ${DMZ_FTP01} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD -d ${DMZ_FTP01} -j NFQUEUE ${SURICATA}
 +${POS_EXT} -s ${DMZ_FTP01} ${TCP} ${SMULTIPORT} ${FTP_PORTS} -j SNAT --to ${EXT_F10} ${COM} "FTP VARIAVEIS"​
 +${POS_EXT} -s ${DMZ_FTP01} ${TCP} ${DMULTIPORT} ${FTP_PORTS} -j SNAT --to ${EXT_F10} ${COM} "FTP VARIAVEIS"​
 +
 +### ALLOWING FTP 3
 +${PRE_EXT} -d ${EXT_F14} ${TCP} ${DMULTIPORT} ${FTP_PORTS} -j DNAT --to ${DMZ_FTP02} ${COM} "FTP EDUCACIONAL VARIAVEIS"​
 +${IPTABLES} -A FORWARD -s ${DMZ_FTP02} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD -s ${DMZ_FTP02} -j NFQUEUE ${SURICATA}
 +${POS_EXT} -s ${DMZ_FTP02} ${TCP} ${SMULTIPORT} ${FTP_PORTS} -j SNAT --to ${EXT_F14} ${COM} "FTP EDUCACIONAL VARIAVEIS"​
 +${POS_EXT} -s ${DMZ_FTP02} ${TCP} ${DMULTIPORT} ${FTP_PORTS} -j SNAT --to ${EXT_F14} ${COM} "FTP EDUCACIONAL VARIAVEIS"​
 +
 +
 +### ALLOWING HTTP
 +${PRE_EXT} -d ${EXT_F14} ${TCP} ${DMULTIPORT} ${HTTP_PORTS} -j DNAT --to ${DMZ_HTTP02} ${COM} "​GABARITOS EDUCACIONAL"​
 +${POS_EXT} -s ${DMZ_HTTP02} ${TCP} ${DMULTIPORT} ${HTTP_PORTS} -j SNAT --to ${EXT_F14} ${COM} "​GABARITOS EDUCACIONAL"​
 +${IPTABLES} -A FORWARD -s ${DMZ_HTTP02} ​ ${TCP} ${DMULTIPORT} ${HTTP_PORTS} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD -d ${DMZ_HTTP02} ​ ${TCP} ${SMULTIPORT} ${HTTP_PORTS} -j NFQUEUE ${SURICATA}
 +
 +### ALLOWING HTTP2
 +${PRE_EXT} -d ${EXT_F10} ${TCP} ${DMULTIPORT} ${HTTP_PORTS} -j DNAT --to ${DMZ_HTTP01} ${COM} "WEB 2VIA"
 +${POS_EXT} -s ${DMZ_HTTP01} ${TCP} ${DMULTIPORT} ${HTTP_PORTS} -j SNAT --to ${EXT_F10} ${COM} "WEB 2VIA"
 +${IPTABLES} -A FORWARD -s ${DMZ_HTTP01} ${TCP} ${DMULTIPORT} ${HTTP_PORTS} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD -d ${DMZ_HTTP01} ${TCP} ${SMULTIPORT} ${HTTP_PORTS} -j NFQUEUE ${SURICATA}
 +
 +### ALLOWING ACCESS FROM LAN
 +${IPTABLES} -A INPUT -s ${LAN_NETWORK} -j ACCEPT ${COM} "​ACCESS FROM LAN"
 +${IPTABLES} -A OUTPUT -d ${LAN_NETWORK} -j ACCEPT ${COM} "​ACCESS FROM LAN"
 +
 +### ALLOWING DNS QUERY
 +${IPTABLES} -A INPUT ${TCP} --sport ${DNS_PORT} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A INPUT ${UDP} --sport ${DNS_PORT} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD ${TCP} --dport ${DNS_PORT} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD ${TCP} --sport ${DNS_PORT} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD ${UDP} --sport ${DNS_PORT} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD ${UDP} --dport ${DNS_PORT} -j NFQUEUE ${SURICATA}
 +
 +### ALLOWING HTTP AND FTP ACCESS
 +${IPTABLES} -A INPUT ${TCP} ${SMULTIPORT} ${HTTP_PORTS} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A INPUT ${TCP} ${DMULTIPORT} ${HTTP_PORTS} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD ${TCP} ${SMULTIPORT} ${HTTP_PORTS} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD ${TCP} ${DMULTIPORT} ${HTTP_PORTS} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A INPUT ${TCP} ${SMULTIPORT} ${FTP_PORTS} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A INPUT ${TCP} ${DMULTIPORT} ${FTP_PORTS} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD ${TCP} ${SMULTIPORT} ${FTP_PORTS} -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD ${TCP} ${DMULTIPORT} ${FTP_PORTS} -j NFQUEUE ${SURICATA}
 +
 +
 +### ALLOWING ICMP
 +${IPTABLES} -A INPUT ${ICMP} 0 ${LIMIT} 1/s -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A INPUT ${ICMP} 8 ${LIMIT} 1/s -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD ${ICMP} 0 ${LIMIT} 1/s -j NFQUEUE ${SURICATA}
 +${IPTABLES} -A FORWARD ${ICMP} 8 ${LIMIT} 1/s -j NFQUEUE ${SURICATA}
 +
 +### MASQUERADE
 +${IPTABLES} -t nat -A POSTROUTING -s ${LAN_NETWORK} -j MASQUERADE
 +</​sxh>​
 +
 +
 +Let's take a look at firewall-stop
 +<sxh bash>
 +cat /​etc/​firewall/​firewall-stop
 +#!/bin/bash
 +### Loading variables
 +. /​etc/​firewall/​variables
 +
 +
 +### Cleaning up the rules
 +${IPTABLES} -t filter -F
 +${IPTABLES} -t filter -X
 +${IPTABLES} -t raw -F
 +${IPTABLES} -t raw -X
 +${IPTABLES} -P INPUT ACCEPT
 +${IPTABLES} -P FORWARD ACCEPT
 +</​sxh>​
 +
 +Here we have the rules with some fixes: http://​wiki.douglasqsantos.com.br/​Downloads/​ips/​rules.tar.xz
 +
 +====== References ======
 +  - http://​techminded.net/​blog/​using-snort-as-service-ips.html
 +  - http://​www.symantec.com/​connect/​articles/​detection-sql-injection-and-cross-site-scripting-attacks
 +  - http://​repo.hackerzvoice.net/​depot_madchat/​reseau/​ids|nids/​snort_rules.html
 +  - http://​books.gigatux.nl/​mirror/​snortids/​0596006616/​snortids-CHP-7-SECT-3.html
 +  - http://​manual.snort.org/​node27.html
 +  - https://​redmine.openinfosecfoundation.org/​projects/​suricata/​wiki/​Suricatayaml
 +  - https://​access.redhat.com/​documentation/​en-US/​Red_Hat_Enterprise_Linux/​5/​html/​Tuning_and_Optimizing_Red_Hat_Enterprise_Linux_for_Oracle_9i_and_10g_Databases/​sect-Oracle_9i_and_10g_Tuning_Guide-Adjusting_Network_Settings-Flow_Control_for_e1000_Network_Interface_Cards.html
 +  - http://​docs.oracle.com/​cd/​E24290_01/​coh.371/​e22838/​tune_perftune.htm#​COHAG5263
 +  - https://​redmine.openinfosecfoundation.org/​projects/​suricata/​wiki/​CentOS_7_Installation
 +  - http://​www.darknet.org.uk/​
 +  - http://​www.spamhaus.org/​drop/​
 +  - http://​myip.ms/​browse/​blacklist/​Blacklist_IP_Blacklist_IP_Addresses_Live_Database_Real-time
 +  - http://​myip.ms/​files/​blacklist/​csf/​latest_blacklist.txt
 +  - http://​www10.org/​cdrom/​papers/​409/​
 +  - https://​r00t-services.net/​knowledgebase/​14/​Homemade-DDoS-Protection-Using-IPTables-SYNPROXY.html
 +  - http://​hackerzelite.blogspot.com.br/​2014/​01/​top-10-ddos-and-dos-attacking-tools.html
 +  - http://​ddoshackingarticles.blogspot.com.br/​2014/​07/​how-to-use-metagoofil-on-kali-linux.html
 +  - http://​www.kalitutorials.net/​2014/​03/​denial-of-service-attacks-explained-for.html
 +  - http://​www.darkmoreops.com/​2014/​08/​21/​dos-using-hping3-spoofed-ip-kali-linux/​
 +  - http://​null-byte.wonderhowto.com/​how-to/​become-elite-hacker-part-3-easy-ddos-0147212/​
 +  - http://​ha.ckers.org/​slowloris/​
 +  - http://​www.r00tsec.com/​2012/​02/​ddos-tool-list-from-anonymous.html
 +  - https://​www.frozentux.net/​iptables-tutorial/​iptables-tutorial.htmlhttps://​www.frozentux.net/​iptables-tutorial/​iptables-tutorial.html
 +  - https://​www.frozentux.net/​iptables-tutorial/​iptables-tutorial.html#​NETFILTERHACKINGHOWTO
 +  - http://​www.ibm.com/​developerworks/​library/​se-intrusion/​index.html
 +  - http://​rules.emergingthreats.net/​open/​