SURICATA - pfsense 2.5, the system cannot block automatically the hosts
-
Hi folks,
I've just installed Suricata on pfsense 2.5, the system log the allarms but do not put the hosts in the block list.Anyone can help?
Thanks in advance
-
Are you in legacy mode (the default) or inline mode?
If Legacy, is Block Offenders checked on the interface?
If Inline, did you follow the instructions that show when that is selected?
"When using Inline IPS Mode blocking, you must manually change the rule action from ALERT to DROP for every rule which you wish to block traffic when triggered.The default action for rules is ALERT. This will produce alerts but will not block traffic when using Inline IPS Mode for blocking.
Use the "dropsid.conf" feature on the SID MGMT tab to select rules whose action should be changed from ALERT to DROP. If you run the Snort rules and have an IPS policy selected on the CATEGORIES tab, then rules defined as DROP by the selected IPS policy will have their action automatically changed to DROP when the "IPS Policy Mode" selector is configured for "Policy"."
-
@steveits all the settings are right...
after two hours of brain cracking, I've just restart the suricata service and it start to work (find this trick googling).
Thank you so much
-
@giacomo-si said in SURICATA - pfsense 2.5, the system cannot block automatically the hosts:
@steveits all the settings are right...
after two hours of brain cracking, I've just restart the suricata service and it start to work (find this trick googling).
Thank you so much
When you change any settings within Suricata, you must restart the service on the interface for the changes to take effect. Suricata reads its configuration only once, at startup. Changes made to the configuration are not seen again until the next stop/start cycle.
-
Thank you @bmeeks ,
maybe I have to open a new topic, but.... there is a quick way to prevent false alarms?Thanks in advance
-
@giacomo-si said in SURICATA - pfsense 2.5, the system cannot block automatically the hosts:
quick way to prevent false alarms
You can suppress the rule for an IP address on the alerts tab, via the [+] icon.
Suggest not blocking by default until you have the rules/alerts configured as you want them.