Suricata turn on/off blockoffenders through command line



  • Hi all,

    I'm trying to set a cron job to turn off and on blocking at certain times of the day, but I can't for the life of me find a command to do this so that I can plug it into cron.

    Does anyone else already know of a way to do this?



  • There is no functionality included within the package to do this.  Why would you want to turn off the protection anyway?  If you are having issues with false positives, fix those instead of turning off all protection.

    Bill



  • We haven't implemented the IPS in production yet. The thinking was in the beginning stages of implementation we would only block hosts during working hours so that we can handle any false positives/blocks while we are on the clock, and disable blocking so issues don't crop up when we've all gone home for the day. If it's not possible then we'll just have to deal with it I guess.


  • Moderator

    Start to use the IDS in non-blocking mode for a couple weeks. This will give you time to fine-tune the rulesets according to the network characteristics.