Suricata blocks homenet ip address



  • Hello.

    I have configured manually few IP address with an alias and overrided home_net into interface configuration of suricata.
    However it blocks these ip addresses if they offends Suricata.
    I thought that adding IP addresses to home_net they aren't blocked by suricata/snort, but it looks it isn't. … isn't it?

    Thank you



  • Hello.
    I have addedd same IP groups to pass list and it doesn't work neither.
    always one of these IPs offends Suricata, it is blocked.

    Suricata only blocks "SRC"

    I have seen this post
    https://forum.pfsense.org/index.php?topic=88840.msg546704#msg546704
    in 2015 with the same issue, but no answer.

    Some help will be appreciated.
    Thank you



  • I don't know why but rebooting had worked.



  • @crester:

    I don't know why but rebooting had worked.

    99 times out of 100 this means you had duplicate Snort instances running on the same interface.  To the GUI, one of those process instances is like a zombie and lost.  So any changes made to HOMENET or anything else in the GUI don't get applied to that running zombie process.  Rebooting will kill everything and then you get back to a single Snort instance per configured interface and things are normal.

    Bill