Suricata - Block On DROP Only ?



  • im using suricata in legacy mode because inline mode crashes to often!

    so i decided to use "Block On DROP Only" function in legacy mode.

    But it never drops/blocks anything. These makes no sense.

    So do I really have to change all rules manually to drop?
    How should i know which rule I have to change to drop ?

    any solution from the PROS here?



  • @pfsense_user12123:

    im using suricata in legacy mode because inline mode crashes to often!

    so i decided to use "Block On DROP Only" function in legacy mode.

    But it never drops/blocks anything. These makes no sense.

    So do I really have to change all rules manually to drop?
    How should i know which rule I have to change to drop ?

    any solution from the PROS here?

    Enabling the new option for "Block on DROP Only" is only 50% of what is required.  You must individually modify the rule action keyword from ALERT to DROP for those rules which you want to now "block" in the new mode.  This is the way things work with the Inline IPS Mode.  This new mode of operation is actually how all major IPS hardware operates – namely only selected rules drop or block traffic, and all the other rules just produce alerts with no blocks.

    So do I really have to change all rules manually to drop?

    Not all, but every rule you want to block traffic with has to be changed to DROP from ALERT.

    How should i know which rule I have to change to drop ?

    I don't mean to sound harsh with this reply, but if you can't answer this question then using the new mode may not be suitable for you yet.  Read up on rule signatures and various attack traffic types and methods to gain some knowledge about the blackhat hacking craft.  As you gain experience in that arena, the answer to your question will become more obvious.

    One easy shortcut for beginners is to subscribe to the Snort VRT ruleset.  Next, on the CATEGORIES tab in Suricata, check the box to use IPS Policy and select a policy.  For beginners, I strongly recommend starting with "Connectivity".  This provides basic protection from most really bad stuff while at the same time not being overly aggressive with false positives.  Underneath the drop-down where you choose the IPS policy is another option for choosing the Policy Mode.  Set that to "Policy" in order to use the suggested rule action contained in the IPS Policy metadata provided by the Snort VRT folks.  When set to "Policy" mode, Suricata will automatically change the rule action to match that suggested by the rule metadata.  There is some help text on the screen to explain the options.  To gain a better understanding of IPS Policies inside the Snort rules, try a few searches on Google.

    Bill



  • ok. thx for your support.

    I will follow your advice!