• Google says this is a common settings issue.. but I can't figure out why it's not blocking..

    According to the blocks they are set to Alert.. According to the settings title: "block on drop only" description says it also blocks on alert, but I see nothing in Blocks.. If I manually change the rule to drop, it will drop and add to blocks, but I thought that's what the override in settings was supposed to do..


    (screen shots of suricata settings, snort rules, enabled and updated. ETOpen ET rules, Snort Free, Snort GPLv2, and "hide depreciated categories" )

    bce dual nic.. 2.5.0 development version

    bce1 is wan
    bce0 is tagged for vlan 10, 20, 30, 172

    only running suricata on bce1 (wan)

    hardware checksum - disabled
    hardware tso offload - disabled
    hardware lro offload - disabled

    inline does not enable, so sticking with legacy..

    Thanks in advance for any suggestions.

  • LAYER 8

    Checking this option will insert blocks only when rule signatures having the DROP action are triggered. When not checked, any rule action (ALERT or DROP) will generate a block of the offending host. Default is Not Checked.

    checked = only drop
    not checked = alert and drop

  • Thank you for that.

    There must be someway to make that description clearer.

    After removing the check, I didn’t immediately see blocked hosts, but after restarting suricata, I now have blocked hosts.

    Greatly appreciate your response.