Am I missing something?
-
Google says this is a common settings issue.. but I can't figure out why it's not blocking..
According to the blocks they are set to Alert.. According to the settings title: "block on drop only" description says it also blocks on alert, but I see nothing in Blocks.. If I manually change the rule to drop, it will drop and add to blocks, but I thought that's what the override in settings was supposed to do..
(screen shots of suricata settings, snort rules, enabled and updated. ETOpen ET rules, Snort Free, Snort GPLv2, and "hide depreciated categories" )
bce dual nic.. 2.5.0 development version
bce1 is wan
bce0 is tagged for vlan 10, 20, 30, 172only running suricata on bce1 (wan)
hardware checksum - disabled
hardware tso offload - disabled
hardware lro offload - disabledinline does not enable, so sticking with legacy..
Thanks in advance for any suggestions.
-
@mystique_
Checking this option will insert blocks only when rule signatures having the DROP action are triggered. When not checked, any rule action (ALERT or DROP) will generate a block of the offending host. Default is Not Checked.checked = only drop
not checked = alert and drop -
Thank you for that.
There must be someway to make that description clearer.
After removing the check, I didn’t immediately see blocked hosts, but after restarting suricata, I now have blocked hosts.
Greatly appreciate your response.
