Ale tady není co k řešení. Pokud ten DNS server neposlouchá na WAN, tak je věc vyřízená. Pokud to pravidlo otravuje v logu, tak ho vypni (emerging-dos.rules, sid:2016016). Pokud to bude skutečně (D)DoS, tak to určitě poznáš jinak, než z logu routeru, protože budeš bez internetu.
Pokud budeš magořit z každé hlášky, kterou IDS vyplodí v logu, tak se brzy zblázníš. Ta věc se ve výchozím stavu nedá používat, to není click--enable-and-forget řešení. IDS/IPS vyžaduje někoho, kdo se tomu bude věnovat a minimálně týdny to ladit pro konkrétní použití a ruleset, který využívá, a i potom průběžně likvidovat evidentní false positives, případně pravidla, která vznikla tak, že někomu z vývojářů prostě prdlo v kouli (viz příklady dole).
Tady mám okomentovaný soubor pravidel, která máme vypnutá a proč. Bez toho z IPS budou padat tisíce podobných hlášení za hodinu a bude to nesmyslně IP adresy jak na běžícím páse.
##########################
### Suricata Overrides ###
##########################
### decoder-events.rules FPs
# Loads of noise, DNS and others
1:2200038 # SURICATA UDP packet too small
# Messes up some DNS traffic
1:2200040 # SURICATA UDP invalid header length
1:2200070 # SURICATA FRAG IPv4 Fragmentation overlap
1:2200072 # SURICATA FRAG IPv6 Fragmentation overlap
# messes up with DNS resolution on LAN
1:2200073 # SURICATA IPv4 invalid checksum
# Bittorrent noise, DNS
1:2200075 # SURICATA UDPv4 invalid checksum
1:2200078 # SURICATA UDPv6 invalid checksum
# lots of useless noise
1:2200076 # SURICATA ICMPv4 invalid checksum
1:2200079 # SURICATA ICMPv6 invalid checksum
1:2200029 # SURICATA ICMPv6 unknown type
# Messes with IPv6 DNS resolution with some DNS servers - ns1.statnipokladna.cz, ns2.statnipokladna.cz
1:2200080 # SURICATA IPv6 useless Fragment extension header
### Zillions of FPs
1:2200037 # SURICATA TCP duplicated option
1:2200094 # SURICATA zero length padN option
# HP printers FPs
1:2200102 # SURICATA ICMPv6 MLD hop limit not 1
# NUT UPS FPs
1:2221002 # SURICATA HTTP request field missing colon
### dns-events.rules FPs
1:2240001 # SURICATA DNS Unsollicited response
# DNS Servers FPs
1:2240002 # SURICATA DNS malformed request data
1:2240003 # SURICATA DNS malformed response data
# Windows default DNS server addresses IPv6 stupidity
# https://technet.microsoft.com/en-us/library/cc783049%28v=ws.10%29.aspx
1:2240007 # SURICATA DNS request flood detected
# DNS Query for Suspicious Domain (stupid rules, break DNS resolution by blocking DNS servers)
1:2011407-1:2011411
1:2013847-1:2013862
1:2012811,1:2012826,1:2012900,1:2012901,1:2012902,1:2012903,1:2012956,1:2013016,1:2013124,1:2013172,1:2015550,1:2013970,1:2014285
### http-events.rules FPs
# breaks Windows updates
1:2221000 # SURICATA HTTP unknown error
# http://www.bundesfinanzministerium.de
1:2221021 # SURICATA HTTP response header invalid
# smtp-events.rules
1:2220000 # SURICATA SMTP invalid reply
# SpamD FPs
1:2220006 # SURICATA SMTP no server welcome message
### stream-events.rules FPs
# disable all, way too many FPs
stream-events.rules
# random FPs
#1:2210016 # SURICATA STREAM CLOSEWAIT FIN out of window
#1:2210020 # SURICATA STREAM ESTABLISHED packet out of window
#1:2210021 # SURICATA STREAM ESTABLISHED retransmission packet before last ack
#1:2210029 # SURICATA STREAM ESTABLISHED invalid ack
#1:2210030 # SURICATA STREAM FIN invalid ack
#1:2210032 # SURICATA STREAM FIN1 FIN with wrong seq
#1:2210038 # SURICATA STREAM FIN out of window
#1:2210039 # SURICATA STREAM Last ACK with wrong seq
#1:2210042 # SURICATA STREAM TIMEWAIT ACK with wrong seq
#1:2210045 # SURICATA STREAM Packet with invalid ack
#1:2210046 # SURICATA STREAM SHUTDOWN RST invalid ack
# Messes with DNS resolution over TCP with some DNS servers
#1:2210000 # SURICATA STREAM 3way handshake with ack in wrong dir
#1:2210010 # SURICATA STREAM 3way handshake wrong seq wrong ack
### tls-events.rules FPs
# random false positives (e.g. Yahoo)
1:2230002 # SURICATA TLS invalid record type
# breaks viber
1:2230003 # SURICATA TLS invalid handshake message
# mailserver webmail/ActiveSync log noise
1:2230010 # SURICATA TLS invalid record/traffic
# lots of noise, breaks downloads
1:2230015 # SURICATA TLS invalid record version
# FPs with Gmail
1:2230020 # SURICATA TLS too many records in packet
##########################
##########################
### ET Open Overrides ###
##########################
### disable useless empty categories in the open-nogpl ruleset
# empty
emerging-chat.rules
emerging-icmp.rules
### disable unwanted categories
emerging-icmp_info.rules
emerging-inappropriate.rules
emerging-info.rules
emerging-rpc.rules
### emerging-dns.rules
# generic unwanted rules
1:2012811 # ET DNS DNS Query to a .tk domain - Likely Hostile
1:2018438 # ET DNS DNS Query for vpnoverdns - indicates DNS tunnelling
# FPs with Bittorrent peers using port 53
1:2014701 # ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 6 or 7 set - Likely Kazy
1:2014702 # ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set - Likely Kazy
1:2014703 # ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set - Likely Kazy
### emerging-scan.rules
# FPs with Total Commander SFTP, PuTTY etc.
1:2003068 # ET SCAN Potential SSH Scan OUTBOUND
# FPs with RDP automatic reconnect
1:2013479 # ET SCAN Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection (Outbound)
# Loads of noise, plus FPs with DNS resulting in blocking root DNS servers
1:2008578 # ET SCAN Sipvicious Scan
1:2011716 # ET SCAN Sipvicious User-Agent Detected (friendly-scanner)
### emerging-shellcode.rules
# Fires up when syncing debian mirror
1:2012086 # ET SHELLCODE Possible Call with No Offset TCP Shellcode
1:2012088 # ET SHELLCODE Possible Call with No Offset TCP Shellcode
1:2012252 # ET SHELLCODE Common 0a0a0a0a Heap Spray String
1:2013319 # ET SHELLCODE Unicode UTF-8 Heap Spray Attempt
# Dangerous rule based on cleartext HTTP. Fires up on known good sites when repeated occurences of *heap* is encountered.
1:2013222 # ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt
### emerging-trojan.rules
# FPs
1:2018455 # ET TROJAN DNS Reply Sinkhole - Anubis - 195.22.26.192/26
### emerging-web_client.rules
# generic unwanted rules
1:2011507 # ET WEB_CLIENT PDF With Embedded File
1:2010514 # ET WEB_CLIENT Possible HTTP 401 XSS Attempt (External Source)
1:2010516 # ET WEB_CLIENT Possible HTTP 403 XSS Attempt (External Source)
1:2010518 # ET WEB_CLIENT Possible HTTP 404 XSS Attempt (External Source)
1:2010520 # ET WEB_CLIENT Possible HTTP 405 XSS Attempt (External Source)
1:2010522 # ET WEB_CLIENT Possible HTTP 406 XSS Attempt (External Source)
1:2010525 # ET WEB_CLIENT Possible HTTP 500 XSS Attempt (External Source)
1:2010527 # ET WEB_CLIENT Possible HTTP 503 XSS Attempt (External Source)
# fires up when downloading zipped drivers
1:2012266 # ET WEB_CLIENT Hex Obfuscation of unescape % Encoding
1:2012272 # ET WEB_CLIENT Hex Obfuscation of eval % Encoding
1:2012398 # ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding
### emerging-web_server.rules
# generic unwanted rules
1:2101201 # GPL WEB_SERVER 403 Forbidden
1:2101852 # GPL WEB_SERVER robots.txt access
1:2016672 # ET WEB_SERVER SQL Errors in HTTP 200 Response (error in your SQL syntax)
##########################
Ale to není něco, co vezmeš, zkopíruješ a řekneš si, že je hotovo. To je konfigurace, která funguje u nás pro konkrétní účely a sadu povolených pravidel.