IPS Network Problem

Please see this other thread:

The Deleted category is for rules that should not be used.
Please, review the manual:


@filippo_carletti, @giacomo thanks for the clarifications and sorry for my insistence.

Now I have clear what is a correct set of rule for the production environment.

Perhaps, the set of old rules I had set before the update they were less restrictive and even if they were all set to block, it didn’t create the problems listed above.


My Alerts : Deteted, Trojan, Shellcode, Policy, TFTP, all rest are block.

Deleted are rules that have been deleted (pretty self explanatory), Trojan was blocking amazon prime video, shellcode blocks centos repos, so blocking nethserver updates, policy blocks nextcloud desktop app, and I am currently fixing a bricked router and need tftp to communicate :smiley:

New rules, new policies on implementing them. I like suricata 4 upgrade.

Applying this rules all works fine, thanks to all.

1 Like

Great post, could someone tell me how can I set the rules using the CLI?

I found that I can see Suricata current configuration with this:
db configuration show suricata or config show suricata

I think suricata configuration can be set using this command:
db configuration setprop suricata ...

But I don’t know exactly how. Could someone please aid me?

Straight from “private” nethesis knowledge base:

config setprop suricata AlertCategories ET-emerging-current_events,ET-emerging-ftp,ET-emerging-games,ET-emerging-inappropriate,ET-emerging-info,ET-emerging-misc,ET-emerging-mobile_malware,ET-emerging-p2p,ET-emerging-scan,ET-emerging-shellcode,ET-emerging-sql,ET-emerging-worm BlockCategories ET-botcc.portgrouped,ET-botcc,ET-ciarmy,ET-compromised,ET-drop,ET-dshield,ET-emerging-activex,ET-emerging-attack_response,ET-emerging-dos,ET-emerging-exploit,ET-emerging-malware,ET-emerging-netbios,ET-emerging-trojan


Thanks @filippo_carletti, I have read though that after changing a configuration one must fire up an event to make the system aware of it.

Like when you change a network interface, one must fire up signal-event interface-update. Is this also applies in here?

Most database modifications have to be followed by an event to apply the settings.
Yours is nethserver-suricata-save

1 Like

Again, thanks @filippo_carletti, one more thing it’s there a way to get notify by email when a category set it as Alert gets a new event?

@filippo_carletti you said in here this:

The trojan category should NOT be set to Block.

However here you suggest me to use a setup that blocks ET-emerging-trojan. I was struggling because after I enabled Suricata with your configuration, I was unable to connect to community.nethserver.org ( Using dig community.nethserver.org I got this ip and using Evebox I found a DROP on that ip falling into ET TROJAN [PTsecurity] pkt checker 0 signature. I gonna follow your advice about not setting as BLOCK the Trojan Category, but this event got my attention anyway. How can I be sure this is just a false positive, and how can I report it?

In a new installation (NS 7.5) network connections only work if all categories are set to Alert. As soon as I set any category like Trojan or whatever to Block, the network stops.
Does that mean that Suricata is useless in NS?

I tried it now and can’t reproduce. I blocked Attack Response, Chat and FTP and network is still working.
Which categories did you use?

With all categories out, just Trojan on Alert it works.
Trojan set to Block network stops.
Okay, I can block Attack Response, too. Chat and FTP shall remain open. But Trojan being one of the most dangerous attacks cannot be blocked without paralyzing the network.

It may be blocked because of a DNS query to an external server instead of an internal one from LAN IIRC but I have to recheck…


I don’t have these et trojan entries, you may use evebox to check why it is blocking.

Nope, Suricata does not work correctly. Blocking Malware or Trojans leads to TLS Handshake problems which make sites like leo.org unreachable. And evebox keeps loading in a loop without reporting anything.
I deactivated Suricata now but that is not a solution.

It really seems like the suricata/evebox installation does not work correctly. Does your server have enough RAM?
We have to find out why evebox does not work and why suricata blocks in an extreme way:
Are there any relevant errors in /var/log/messages or /var/log/suricata/*? The logs will show what suricata blocked.
Did you already try to remove and reinstall suricata/evebox?

The server has plenty of RAM.
The file suricata.log spits out repeatedly the warnings
- [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can’t suppress sid 2011124, gid 1: unknown rule
- [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can’t suppress sid 2022913, gid 1: unknown rule
Okay, I’ll give it a try and will remove suricata/evebox.

The removal and reinstallation of suricata/evebox did not change anything. But I found out something else what is strange:
There are two machines using the NS firewall as gateway, a Windows 10 PC and a Linux/Ubuntu client VM.
From the Windows PC it works, from the linux desktop the TLS-Handshake is blocked. So, it’s not a matter of Suricata but of the virtualization. Unfortunately I have no idea where to search.

1 Like

Please also check /var/log/suricata/fast.log, it should show at least source and destination of the blocked event (looks like ->

Now I see in Evebox Events that traffic to the ports 443 and 3000 is dropped, flags ACK,PSH. But it does not tell me why and by which rule. What do the flags mean?