Suricata - blocking in legacy inline mode

gbqs

Hi

I've enabled Suricata with some custom rules. I can't get these to trigger a drop for traffic that matches these rules. The alert is generated and shown in red, but the traffic is always allowed and the offending host can still send traffic.

I've checked the passlist and it's empty.

Anyone have any ideas ? The same rules worked with snort, but not suricata..

thank you.

bmeeks

Since you did not provide a sample of your rules or a screenshot of your interface configuration all I can do is guess. Here are some guesses:

1. You did not check the box to "kill states" when blocking an offender;
2. You are testing with IP addresses that are contained within the default Pass List used by Legacy Mode blocking;
3. You used two mutually exclusive terms to describe your setup, "legacy" and "inline" don't go together in Suricata. You must use either Legacy Mode blocking or Inline IPS Mode blocking. There is no such thing as "legacy inline", so which do you actually have configured? The fact you said the "alerts show up in red" indicates you may be using Inline IPS Mode;
4. If you are actually using Inline IPS Mode and your interface is a PPPoE configuration, then it won't block as PPPoE traffic does not pass through a netmap interface. Inline IPS Mode uses netmap;
5. With Inline IPS Mode, you must actually change the rule action to DROP in order to drop or block traffic. If you leave the rule action as ALERT, then that's all you get: just an alert in red.

Read up on Suricata's operation and how to use SID MGMT features here: https://forum.netgate.com/topic/128480/how-automatic-sid-management-and-user-rule-overrides-work-in-snort-and-suricata.