Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata blocks IP in friendly List

    Scheduled Pinned Locked Moved IDS/IPS
    4 Posts 2 Posters 353 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hebein
      last edited by

      Hello,

      Suricata blocks an IP though it is defined in the friendly list.
      Any hints?

      Regards,
      Gunther

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        1. Did you actually assign the custom Pass List to the interface? You must select it in the Pass List drop-down selector on the INTERFACE SETTINGS tab.

        2. Is the IP a static one? Suricata does not support a FQDN in a Pass List.

        3. Did you add the IP to the list after Suricata was started? If so, you must restart Suricata in order for it to re-populate the internal Pass List. The Pass List IP addresses are read once at startup and then stored in memory.

        Really need some more details about the steps you went through. I am assuming by "friendly list" you actually mean a formal Pass List that you created on the PASS LISTS tab.

        1 Reply Last reply Reply Quote 1
        • H
          hebein
          last edited by

          Hi, thanks for your reply. I has to manually restart suricata, the reload after saving the settings did not do the job. Now it works fine :)

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @hebein
            last edited by

            @hebein said in Suricata blocks IP in friendly List:

            Hi, thanks for your reply. I has to manually restart suricata, the reload after saving the settings did not do the job. Now it works fine :)

            When you make changes to a Pass List, you must completely restart the Suricata service as the Pass List contents are only read during startup. When you add a rule SID or an IP to a Suppress List, then the live reload should be sufficient (no need to physically restart the Suricata instance).

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.