Suricata block

calitzin

Good afternoon
Will someone know if Suricata can block malicious behavior instead of blocking the IP?

Gertjan

Hi,

Like cutting out bad content in IP packets ?
No way.

bmeeks

Yes, Suricata can drop packets within a session using its Inline IPS Mode. However, this mode uses the netmap OS driver and that requires your network interface card (NIC) be one of the supported driver families. Inline IPS Mode does not block a host IP address in the same way the Legacy Blocking mode does. Instead, it uses a netmap pipe between the NIC driver and the kernel OS stack and selectively drops packets that match Suricata rules.

There is a new Snort package available for pfSense-2.5-DEVEL that also implements the same Inline IPS Mode of operation (and with the same netmap driver limitations). The new Snort package allows you to leverage OpenAppID to detect Layer 7 applications and drop those packets.

Details on both packages can be found in the IDS/IPS sub-forum here: https://forum.netgate.com/category/53/ids-ips.