Suricata Inline Mode automate rule action selection

ericlee · Mar 12, 2023, 8:56 AM

Suricata is configured inline mode on the LAN interface only, ran it for a month in alert only mode, reviewed those alerts and now in blocking mode

But it seems that it is a manual process to modify from alert to drop and I am looking for a way to have all enabled rules configured as drop.

Coming from a Sonicwall environment to pfSense+, with the Sonicwalls all high priority attacks in IPS are set to automatically drop from a global config setting and this is what I am trying to do with pfSense/Suricata and not sure if there is a way or not.

Eric

bmeeks · Mar 13, 2023, 3:11 AM

You want to use the features on the SID MGMT tab. Enable that feature by checking the box, and then review the content of the provided sample configuration files. The sample files contain examples with comments explaining what the examples do.

This Sticky Post found at the top of this sub-forum also has some instructions for using SID MGMT: https://forum.netgate.com/topic/128480/how-automatic-sid-management-and-user-rule-overrides-work-in-snort-and-suricata.

ericlee · Mar 14, 2023, 5:27 PM

Thanks, I will work on it and follow up if I have more questions