• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Suricata not dropping/blocking in legacy mode.

Scheduled Pinned Locked Moved IDS/IPS
5 Posts 2 Posters 1.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • 0
    010702
    last edited by Sep 28, 2017, 11:52 PM

    Hey all,

    I have Suricata set up with a custom rule to drop anything coming in to port 23 (anybody connecting on that port is someone to block as I never use it).  It logs correctly but does not block the IP at all.

    Help?

    1 Reply Last reply Reply Quote 0
    • 0
      010702
      last edited by Sep 28, 2017, 11:59 PM

      My mistake.  If you have it running on the LAN interface it recognises the telnet traffic but doesn't block.  If I run it on the WAN it blocks the traffic.

      1 Reply Last reply Reply Quote 0
      • B
        bmeeks
        last edited by Sep 29, 2017, 1:16 AM

        How did you structure the flow direction?  Is your rule structured to trigger on flows from EXTERNAL_NET to HOME_NET, or from HOME_NET to EXTERNAL_NET?  Remember your LAN addresses will, by default, be in HOME_NET.

        Bill

        1 Reply Last reply Reply Quote 0
        • 0
          010702
          last edited by Sep 29, 2017, 12:21 PM

          drop tcp any any -> any 23 (msg: "Telnet login"; classtype:attempted-recon; sid:9000001; rev:1;)

          1 Reply Last reply Reply Quote 0
          • B
            bmeeks
            last edited by Sep 29, 2017, 3:34 PM

            It may not be blocking due to the automatic Pass List generated in Legacy Mode.  Check the IP addresses in the Pass List by clicking the View button next to the Pass List drop-down selector on the INTERFACE SETTINGS tab.  Any address in that list will never be blocked (but will still generate an alert).  You can create a customized Pass List and remove addresses that you want to get blocked, but be careful if this is new territory for you.  You can easily lock yourself out.

            In general the default settings for a Pass List work for the majority of uses.

            Bill

            1 Reply Last reply Reply Quote 0
            5 out of 5
            • First post
              5/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received