How to trace which rule triggered a block in Suricata?
-
Hi, I just installed Suricata and have enabled the SnortGPLv2 Community Rules on my WAN interface and set to Block mode.
I noticed that my Spotify stopped working so I checked Diagnostics > System Logs > Firewall and sure enough there is a block that I believe is related to this: Block snort2c hosts (1000000110)
My question is -- how can I determine which specific rule was triggered for this block? I'm not sure how to trace the offending rule that was triggered and initiated the block so that I can either modify or disable it.
Any help on this would be greatly appreciated!!!
Thanks!
-
There is an ALERTS tab in the Suricata GUI. That tab shows all rules which fired and produced a block. You can also view blocked IP addresses under the BLOCKS tab in the Suricata GUI. The firewall log is really not helpful at all for determining what the IDS/IPS is doing. Instead, use the tabs provided by the IDS/IPS GUI package. That's why they are there.
-
@bmeeks Awesome, thank you sir! I somehow overlooked this ridiculously obvious tab... still trying to wrap my head around this system. This solved my problem, thanks for the help!