Suricata Host Not Removed From Blocked Table
-
I have selected the red X (Remove host from Blocked Table) for host 134.195.207.8 multiple times. Wondering why it keeps coming back. What am I misunderstanding?
-
@pfgate Removing it will remove it once. Further alerts will block it again. If you want to permanently ignore it you can click the + icon there to suppress the alert so that rule doesn't trigger for that IP. Or else you can add it to a pass list (and assign the pass list to the Suricata interface, and restart Suricata) to bypass all rules for that IP.
-
@SteveITS is 100% correct. That IP address is triggering the same rule over and over. So when you remove it from the BLOCKS table, it is going to be put back as soon as that IP address triggers the same rule again.
You need to address this either by suppressing that rule for that IP address, or by adding the IP address to a Pass List so that it is not blocked. The difference between "suppressing" and a "pass list" is as follows:
A suppressed rule will not fire at all for the condition specified. You can suppress rules by source or destination IP address. You can also suppress them by Signature ID, but that is really the same as disabling the rule. There are icons for all these actions on the ALERTS tab shown on the line for each alert. Hover over the icons and a tooltip will pop up explaining what the icon does. Suppressing by IP means that if the target IP causes the rule to trigger, the alert will be suppressed (not logged and thus not show up in the ALERTS tab view) and therefore will not result in a block.
A Pass List contains a group of IP addresses that are never blocked. The rules will still trigger and alerts will show on the ALERTS tab for those IP addresses, but the IP will not get blocked.
-