Suricata processes packets even though source IPs are blocked

  • Hello all,

    I've been moving IPs blocked by Suricata to a couple of firewall aliases in order to completely block them and save some CPU time. The aliases are then used in floating rules to block all incoming IPv4 and IPv6 traffic. The problem I have is that these IPs have started reappearing in the Suricata blocked IPs.

    I think the problem started either a couple of pfSense updates ago, or when the alias holding the IP addresses grew big (150-200 IPs) … or I've completely misunderstood how Suricata works and it processes traffic before the firewall.

    Has anyone seen this problem before? Could someone help?

    Thanks so much in advance

  • Moderator

    This is nothing new…. In pfSense, Snort/Suricata (non-IPS mode) act on a copy of all the packets since the traffic is in promiscuous mode. So even if the firewall is blocking IPs, the IDS/IPS is still analyzing the "copy" of the original packets and reporting on them as per the defined Rules...

  • I see… Now it makes sense ... and I should've thought of that :(

    Thanks a lot