Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    suricata inline confusion

    Scheduled Pinned Locked Moved
    IDS/IPS
    4
    7
    442
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jc1976
      last edited by

      I've been scouring these forums for a lonnng time, however i get the distinct impression that suricata isn't doing anything for me other than alerting..

      inline mode is enabled
      block offenders is checked
      use ips policy - checked
      ips policy selection - maximum detection
      ips policy mode - policy

      all the rules do is 'alert'. it's kinda tough for me to fathom that i have to go through each one of these rules and enable drop?
      i was sorta under the impression that you might 'enable all' and as you use an application or whatever that doesn't work because of a rule, you'd see that rule in the logs and disable it rather than go through each and change to drop.

      i know, this has been beaten to death and i apologize profusely..

      S tinfoilmattT 2 Replies Last reply Reply Quote 0
      • S
        SteveITS Rebel Alliance @jc1976
        last edited by

        @jc1976 There are ways to enable for instance see the dropsid comments in https://forum.netgate.com/topic/143812/snort-package-4-0-inline-ips-mode-introduction-and-configuration-instructions. And/or look for posts on inline by bmeeks. Suricata should be similar.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        J 1 Reply Last reply Reply Quote 0
        • J
          jc1976 @SteveITS
          last edited by

          @steveits

          yeah, i try to follow bmeeks when it comes to this stuff... his knowledge is amazing. problem for me is, his knowledge is waay beyond mine and it can become a bit hard to follow (for me) at times.. just one of those situations where i just need to either see it happen or go through the process once, and i'll understand it, and reading sometimes leads to more questions. its just confusion on my part.

          1 Reply Last reply Reply Quote 0
          • tinfoilmattT
            tinfoilmatt @jc1976
            last edited by

            @jc1976 said in suricata inline confusion:

            it's kinda tough for me to fathom that i have to go through each one of these rules and enable drop?

            not how it's generally done. look at the "SID Mgmt" tab and see if you can work out how to change rule actions en masse using a "Drop SID List."

            J 1 Reply Last reply Reply Quote 0
            • J
              jdeloach @tinfoilmatt
              last edited by

              @cyberconsultants
              @jc1976

              Just in case you are not aware, Snort and Suricata are not packages that you just install, configure and then forget about like antivirus programs. These packages require constant maintenance if you want to get the full effect of what tasks they perform.

              tinfoilmattT J 2 Replies Last reply Reply Quote 0
              • tinfoilmattT
                tinfoilmatt @jdeloach
                last edited by

                @jdeloach
                can you think of any information system that's 'set it and forget it'? i can't.

                1 Reply Last reply Reply Quote 0
                • J
                  jc1976 @jdeloach
                  last edited by

                  @jdeloach said in suricata inline confusion:

                  @cyberconsultants
                  @jc1976

                  Just in case you are not aware, Snort and Suricata are not packages that you just install, configure and then forget about like antivirus programs. These packages require constant maintenance if you want to get the full effect of what tasks they perform.

                  i understand that. I just thought that there would be a way to more easily have the benefits of in-line scanning with the easier configuration of legacy.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post