4. Suricata not dropping/blocking in legacy mode.

Suricata not dropping/blocking in legacy mode.

  • 0

    Hey all,

    I have Suricata set up with a custom rule to drop anything coming in to port 23 (anybody connecting on that port is someone to block as I never use it).  It logs correctly but does not block the IP at all.

    Help?

    0
  • 0

    My mistake.  If you have it running on the LAN interface it recognises the telnet traffic but doesn't block.  If I run it on the WAN it blocks the traffic.

    0

  • How did you structure the flow direction?  Is your rule structured to trigger on flows from EXTERNAL_NET to HOME_NET, or from HOME_NET to EXTERNAL_NET?  Remember your LAN addresses will, by default, be in HOME_NET.

    Bill

    0
  • 0

    drop tcp any any -> any 23 (msg: "Telnet login"; classtype:attempted-recon; sid:9000001; rev:1;)

    0

  • It may not be blocking due to the automatic Pass List generated in Legacy Mode.  Check the IP addresses in the Pass List by clicking the View button next to the Pass List drop-down selector on the INTERFACE SETTINGS tab.  Any address in that list will never be blocked (but will still generate an alert).  You can create a customized Pass List and remove addresses that you want to get blocked, but be careful if this is new territory for you.  You can easily lock yourself out.

    In general the default settings for a Pass List work for the majority of uses.

    Bill

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy