Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    No Alerts using Suricata inline mode.

    Scheduled Pinned Locked Moved IDS/IPS
    23 Posts 3 Posters 5.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SteveITS Rebel Alliance
      last edited by

      Hi Bill, I saw there was a new Suricata package, updated, enabled Inline mode, and am seeing alerts/blocks!  Hooray!

      Semi-related to this thread, since we were talking about pass lists, I noticed the Pass List setting was removed for Inline mode.  We had a few external things in there like our anti-spam service and our web server cluster, that we didn't want to block.  Is there still a way to accomplish that?  Or just add to the suppress list as alerts happen?

      Thanks,
      Steve

      Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
      When upgrading, allow 10-15 minutes to reboot, or more depending on packages, and device or disk speed.
      Upvote 👍 helpful posts!

      1 Reply Last reply Reply Quote 0
      • S
        SteveITS Rebel Alliance
        last edited by

        Never mind, I found the release notes at https://forum.pfsense.org/index.php?topic=145489.0 and even better https://forum.pfsense.org/index.php?topic=145257.msg790339 that discuss pass lists.

        Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to reboot, or more depending on packages, and device or disk speed.
        Upvote 👍 helpful posts!

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks
          last edited by

          @teamits:

          Never mind, I found the release notes at https://forum.pfsense.org/index.php?topic=145489.0 and even better https://forum.pfsense.org/index.php?topic=145257.msg790339 that discuss pass lists.

          You can use custom PASS rules to create a pass list, but just be careful as I warned in the posts you linked.  It is probably better to watch and either disable the bothersome rules, or use suppress lists and either of the "filter by IP" options that are available when you click the plus sign (+) beside the IP address columns on the ALERTS tab.  Doing it that way allows a rule-by-rule tuning and even limiting that to certain hosts (IP addresses).  Using a pass list is more like using a large hammer when what you really need is a jeweler's screwdriver.  With a PASS rule that filters only on an address, you are potentially exposing the whitelisted host to a lot of malicious stuff.

          Bill

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.