Snort time from detection to block
The Snort time from detection to block is not helping me. Is there a way to inspect the packet and then pass it only if it passes the snort rule? I use snort only for one port on my email server, so a delay in the packets is no big deal, but the packets getting through are. Snort is only effective for the next time a bad IP comes in.
fsansfil last edited by
Instead of a DROP rule, create one with PASS with Suricata inline.
pfsense doesnt support snort inline yet, maybe when version 3 comes out.
Paint last edited by
maybe write your own custom Snort Rules: custom.rules?
So I can do this with Suricata?
Is there a FAQ somewhere to explain using inline. I assume using this allows Suricata to review and drop the packet before it can be delivered.
I already write my own custom rules. I was hoping there were some commands I could use. I understand the snort rules are compatible with Suricata too.
Reading up on Suricata looks like the answer to my needs now that the inline option is available.