Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata - blocking in legacy inline mode

    Scheduled Pinned Locked Moved IDS/IPS
    2 Posts 2 Posters 773 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gbqs
      last edited by

      Hi

      I've enabled Suricata with some custom rules. I can't get these to trigger a drop for traffic that matches these rules. The alert is generated and shown in red, but the traffic is always allowed and the offending host can still send traffic.

      I've checked the passlist and it's empty.

      Anyone have any ideas ? The same rules worked with snort, but not suricata..

      thank you.

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        Since you did not provide a sample of your rules or a screenshot of your interface configuration all I can do is guess. Here are some guesses:

        1. You did not check the box to "kill states" when blocking an offender;
        2. You are testing with IP addresses that are contained within the default Pass List used by Legacy Mode blocking;
        3. You used two mutually exclusive terms to describe your setup, "legacy" and "inline" don't go together in Suricata. You must use either Legacy Mode blocking or Inline IPS Mode blocking. There is no such thing as "legacy inline", so which do you actually have configured? The fact you said the "alerts show up in red" indicates you may be using Inline IPS Mode;
        4. If you are actually using Inline IPS Mode and your interface is a PPPoE configuration, then it won't block as PPPoE traffic does not pass through a netmap interface. Inline IPS Mode uses netmap;
        5. With Inline IPS Mode, you must actually change the rule action to DROP in order to drop or block traffic. If you leave the rule action as ALERT, then that's all you get: just an alert in red.

        Read up on Suricata's operation and how to use SID MGMT features here: https://forum.netgate.com/topic/128480/how-automatic-sid-management-and-user-rule-overrides-work-in-snort-and-suricata.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.