Print Page - Suricata permits traffic despite being blocked in the log.

Title: Suricata permits traffic despite being blocked in the log.
Post by: mucflyer on November 07, 2019, 12:09:46 PM

Hi all
Configured Suricata, enabled, IPS mode enabled, ET telemtry rules downloaded and enabled. Under alert I see SSH scan has been blocked, however I have NAT to internal SSH gateway, and I see IP which should be blocked is reaching gateway...

2019-11-07T12:05:40.644965+0100 2001219 blocked WAN 185.232.x.x 62920 x.x.x.x 22 ET SCAN Potential SSH Scan

Why is permited ?

Title: Re: Suricata permits traffic despite being blocked in the log.
Post by: mucflyer on November 19, 2019, 11:18:28 AM

Example below, Suricata shows blocked in Alerts, but on Gateway I can see that IP connected. OPNSense restarted, Gateway restarted.

OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: mucflyer on November 07, 2019, 12:09:46 PM