Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Am I missing something?

    IDS/IPS
    2
    3
    345
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      Mystique_
      last edited by

      Google says this is a common settings issue.. but I can't figure out why it's not blocking..

      According to the blocks they are set to Alert.. According to the settings title: "block on drop only" description says it also blocks on alert, but I see nothing in Blocks.. If I manually change the rule to drop, it will drop and add to blocks, but I thought that's what the override in settings was supposed to do..

      https://imgur.com/a/D6ex23f

      (screen shots of suricata settings, snort rules, enabled and updated. ETOpen ET rules, Snort Free, Snort GPLv2, and "hide depreciated categories" )

      bce dual nic.. 2.5.0 development version

      bce1 is wan
      bce0 is tagged for vlan 10, 20, 30, 172

      only running suricata on bce1 (wan)

      hardware checksum - disabled
      hardware tso offload - disabled
      hardware lro offload - disabled

      inline does not enable, so sticking with legacy..

      Thanks in advance for any suggestions.

      kiokomanK 1 Reply Last reply Reply Quote 0
      • kiokomanK
        kiokoman LAYER 8 @Mystique_
        last edited by kiokoman

        @mystique_
        Checking this option will insert blocks only when rule signatures having the DROP action are triggered. When not checked, any rule action (ALERT or DROP) will generate a block of the offending host. Default is Not Checked.

        checked = only drop
        not checked = alert and drop

        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
        Please do not use chat/PM to ask for help
        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

        1 Reply Last reply Reply Quote 1
        • M
          Mystique_
          last edited by

          Thank you for that.

          There must be someway to make that description clearer.

          After removing the check, I didn’t immediately see blocked hosts, but after restarting suricata, I now have blocked hosts.

          Greatly appreciate your response.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post