Suricata blocking google.com
Anybody else experiencing this?? Really annoying for the users since its the default search engine in Firefox.
bmeeks last edited by
Rules block things, so which rule is triggering?
Research and identify if that rule is triggering on a false positive. If so, then disable it or suppress it. For true false positives, I tend to favor disabing so as to conserve CPU cycles.
@bmeeks Its really hard to say since there are so many IPs that is related to Google services.
And it just keeps on blocking if I cant whitelist google.com as a domain....
bmeeks last edited by bmeeks
You will need to indentify the rule (or rules) that is triggering and take action on the GID:SID level by disabling or suppressing the rule.
If you are having issues with Google, it is likely that you are being much too aggressive with the rules you have enabled. In other words, you have too much turned on. That is the balancing act of IPS, especially legacy-mode IPS where the blocking is done at the host IP level instead of by selectively dropping just individual packets. You can't enable lots of rules for blocking and not expect trouble with false positives.
If the impact is significant, then switch off blocking mode, and then clear all the blocked hosts on the BLOCKS tab (I assume you are using Legacy Mode).