Have a question on SIB Management Drop SID List
-
trying to use DROP list in SID mgmt but can't choose Drop SID List under Interface SID Management List Assignments. It Says N/A? How can I change that to choose LAN Drops list?
🔒 Log in to view -
@stanwij1 I want to say that's only when using Inline mode.
-
@SteveITS oh so I am running Legacy mode, so you can't do this under legacy mode?
-
@stanwij1 said in Have a question on SIB Management Drop SID List:
@SteveITS oh so I am running Legacy mode, so you can't do this under legacy mode?
You can only use a Drop SID List when Inline IPS Mode is enabled in Snort. Legacy Blocking Mode does not support changing individual rules to BLOCK as the internal plumbing of the Snort.
If you are using Suricata (it's not clear from your post which IDS/IPS package you are referring to), then you can enable a special option under the Blocking section of the INTERFACE SETTINGS tab that will let you emulate a sort of IPS mode by individually setting rules to DROP and traffic will only be blocked when those rules trigger. As I recall, that option is called "Block on DROP Only" and is a checkbox.
-
@bmeeks thanks for your response, yes using Suricata. Issue is, using legacy mode, I went into individual interface rules, and clicked the Action and changed to Drop, but it isn't dropping, still showing in alerts, is that because need to check the box to Block on Drop?
-
@stanwij1 said in Have a question on SIB Management Drop SID List:
@bmeeks thanks for your response, yes using Suricata. Issue is, using legacy mode, I went into individual interface rules, and clicked the Action and changed to Drop, but it isn't dropping, still showing in alerts, is that because need to check the box to Block on Drop?
Yes, you must check the box on the INTERFACE SETTINGS tab to enable "Block on DROP Only". That is a config logic flag the code checks in other places so it knows what options to offer the user in the GUI.