Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata Inline Mode automate rule action selection

    Scheduled Pinned Locked Moved
    IDS/IPS
    2
    3
    271
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      ericlee
      last edited by

      Suricata is configured inline mode on the LAN interface only, ran it for a month in alert only mode, reviewed those alerts and now in blocking mode

      But it seems that it is a manual process to modify from alert to drop and I am looking for a way to have all enabled rules configured as drop.

      Coming from a Sonicwall environment to pfSense+, with the Sonicwalls all high priority attacks in IPS are set to automatically drop from a global config setting and this is what I am trying to do with pfSense/Suricata and not sure if there is a way or not.

      Eric

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        You want to use the features on the SID MGMT tab. Enable that feature by checking the box, and then review the content of the provided sample configuration files. The sample files contain examples with comments explaining what the examples do.

        This Sticky Post found at the top of this sub-forum also has some instructions for using SID MGMT: https://forum.netgate.com/topic/128480/how-automatic-sid-management-and-user-rule-overrides-work-in-snort-and-suricata.

        1 Reply Last reply Reply Quote 1
        • E
          ericlee
          last edited by

          Thanks, I will work on it and follow up if I have more questions

          1 Reply Last reply Reply Quote 0
          • First post
            Last post