• Suricata will not start

    1
    0 Votes
    1 Posts
    396 Views
    No one has replied
  • ET SCAN NMAP not drop

    1
    0 Votes
    1 Posts
    380 Views
    No one has replied
  • Snort - Blocking Attack but no blocking hosts

    1
    2 Votes
    1 Posts
    399 Views
    No one has replied
  • update VTR rules failed

    1
    0 Votes
    1 Posts
    390 Views
    No one has replied
  • Syntax for ignore ports in Preprocs Portscan Detection

    3
    0 Votes
    3 Posts
    601 Views
    M

    Nobody has an idea to help me?

  • Suricata blocking IPs on Pass List

    8
    0 Votes
    8 Posts
    1k Views
    S

    @teamits That seems to have worked. I guess maybe restarting the global service resets any global settings and restarting on the interface updates the interface settings but restarting the global service didn't seem to update the interface settings.

  • Suricata not limiting log sizes by default

    4
    1 Votes
    4 Posts
    2k Views
    stephenw10S

    Yes, though usually attracting the attention of @bmeeks is the best way to get traction on this. 😉

    Steve

  • This topic is deleted!

    1
    0 Votes
    1 Posts
    12 Views
    No one has replied
  • Possible cause of PHP mem alloc crash when viewing suricata.log file

    1
    0 Votes
    1 Posts
    266 Views
    No one has replied
  • Can Snort be used to assign traffic to Queues?

    Moved
    2
    0 Votes
    2 Posts
    294 Views
    jimpJ

    No, it cannot.

  • Linkedin Not Loading

    1
    0 Votes
    1 Posts
    345 Views
    No one has replied
  • Suricata inline whitelisting

    8
    0 Votes
    8 Posts
    5k Views
    S

    @bmeeks said in Suricata inline whitelisting:

    Suppress rules can be used to make sure no alerts are generated for a host. This is not efficient however, as the suppression is only considered post-matching. In other words, Suricata first inspects a rule, and only then will it consider per-host suppressions.

    This means to me that the pass, drop, reject, etc., decision is made first and then the suppress list is checked to see whether or not to suppress the alert in the logs.  I need to dive into the source code for the Suricata binary and see if I can precisely determine how suppression affects dropping.

    I need to dig into this some more before I can post a definitive answer.

    Hi, did this get figured out/resolved? We may have run into this today on Suricata package v4.0.4_1...I suppressed an alert but the behavior didn't seem to change until I disabled the rule.
    (FWIW it was rule 1:2013744 "ET INFO DYNAMIC_DNS HTTP Request to a no-ip Domain" which would make sense for dynamic domains but was for cdn.no-ip.com which is their actual domain. The rule only excludes www.no-ip.com.)

  • Questions about running SNORT in PfSense

    4
    0 Votes
    4 Posts
    1k Views
    NogBadTheBadN

    OpenAppID rules seem to download fine for me.

    What interface are you running snort on ?

    Run it on your LAN as you then see hosts pre NAT.

    Yup the ping rule is a good test to see if snort is working.

    If you change your ICMP rule slightly :-

    alert icmp $HOME_NET any -> !$HOME_NET any (msg:“ICMP test”; sid:10000001; rev:001;classtype:misc-activity;)

    alert icmp $HOME_NET any -> !$HOME_NET any (msg:“ICMP test”; sid:10000001; rev:001;classtype:icmp-event;)

    It should block outbound ICMP traffic.

    andy@pi-3:~ $ ping 8.8.8.8
    PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
    64 bytes from 8.8.8.8: icmp_seq=1 ttl=45 time=14.8 ms
    ^C
    --- 8.8.8.8 ping statistics ---
    6 packets transmitted, 1 received, 83% packet loss, time 5160ms
    rtt min/avg/max/mdev = 14.847/14.847/14.847/0.000 ms
    andy@pi-3:~ $ ping 8.8.8.8
    PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
    ^C
    --- 8.8.8.8 ping statistics ---
    3 packets transmitted, 0 received, 100% packet loss, time 2064ms

    andy@pi-3:~ $

    0_1527847252298_Untitled.jpeg

  • e2guardian+snort=slow internet

    3
    0 Votes
    3 Posts
    767 Views
    R

    Intel(R) Core(TM) i7-4790 CPU @ 3.60GHz
    Current: 3600 MHz, Max: 3601 MHz
    8 CPUs: 1 package(s) x 4 core(s) x 2 hardware threads
    AES-NI CPU Crypto: Yes (active)

  • PfSense & Snort: Whitelist Domain

    Moved
    1
    0 Votes
    1 Posts
    1k Views
    No one has replied
  • Snort Dropping https traffic

    1
    0 Votes
    1 Posts
    274 Views
    No one has replied
  • This topic is deleted!

    1
    0 Votes
    1 Posts
    30 Views
    No one has replied
  • CIDR in suppress list not showing in Alerts pane

    7
    0 Votes
    7 Posts
    1k Views
    C

    @nogbadthebad I wanna assume good faith here and that you're trying to help - but please try and not fall into the trap of first failing to read the OP, then insisting on a non-solution, followed by complete ignoring the OP altogether. I understand how to submit FRs - not my purpose here. Simply ignore the thread if you have nothing assistive to add.

    Thanks.

  • OPENAPPID Custom rules to block globoplay not working

    2
    0 Votes
    2 Posts
    465 Views
    NogBadTheBadN

    https://snort.org/ < ask here

  • After suricata install, gateway disconnected

    Moved
    2
    0 Votes
    2 Posts
    420 Views
    B

    i had the exact same issue on my box. so i removed it and switched to Snort which has always worked for me in the past. hopefully someone can shed some light on this

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.