Suricata blocking IPs that are on the passlist



  • I have Suricata running in legacy IPS mode.

    My passlist has all the default boxes checked, including "Add VPN Addresses to the list."

    I also have a passlist alias selected which has one or two IPs (that are not otherwise on the passlist)

    I have the passlist applied to my interface in Suricata.

    I just had a situation where two IPs on one of my remote networks, which is connected via a site-to-site VPN on the pfSense were blocked.

    I verified that the network range (in this case 192.168.121.1/24) is listed in the passlist when clicking View List for the pass list on the interface options screen in Suricata.

    Any ideas on what could be going on and why these IPs are getting blocked even though the range they are in is on the pass list?