Alerts not being blocked
-
I see a LOT of alerts that I would expect to be blocks. However If I check the block list I only see 3
these for example I would expect a block 62.204.41.30, 83.97.73.245, 79.124.62.82 ectShould I not expect auto blocks? What am I missing. I have no IPs in my filtered whitelist
-
@xokia I think I may know what's going on. These are ageing out of the block list I had it set to 3 hrs. I increased it to 12 hrs
-
@xokia said in Alerts not being blocked:
@xokia I think I may know what's going on. These are ageing out of the block list I had it set to 3 hrs. I increased it to 12 hrs
That was going to be my first question: what interval has been set for "clear blocked hosts"?
When an IP has not seen any additional traffic during the interval set for clearing blocked hosts, then the
cron
task will remove that IP from the snort2c pf table.