Scheduled emptying of block list?
-
I know I can schedule things via cron and the like, but is there a command to empty the Snort/Suricata blocklist on a regular basis? I know I can set how long a block lasts, but I want to be able to just empty the list on a regular basis. We are having a tough time figuring out what rules are causing some of our critical services to be blocked, so for now, until I can sort it all out, i want to just dump the block list on a regular basis.
I've searched but not found anything on this, please simply point me in the right direction if you know there is a solution and I just couldn't search properly.
Thanks.
-
For the first few weeks or so, best to use Snort/Suricata in Non-Blocking mode…. This gives you time to tune it to your network without actually blocking anything...
otherwise this command will flush the table...
pfctl -t snort2c -T flush
-
Thanks. I would love to be running in NB mode, but we're in full swing for classes and if I run in NB mode the RIAA, MPAA and anyone else with copyright grievances will be breathing down my neck… students just won't turn off their BitTorrent clients.