My intrusion detection keeps picking up a security company spamming my ports to check for vulnerable VOIP ports. I do not use VOIP, and monit keeps spamming my email with alerts over it. To silence it do I want to reject or block connections on that port? What's the difference between the two?
You almost never want to reject any packet, because that in itself shows a potential attacker that something (tm) is present at this IP, encouraging him to keep on trying to pry his way in.
This has nothing to with what is being logged and subsequently potentially seen and alerted by monit. Thus, you could use a specific rule for the traffic in question, which blocks it, but never logs anything.
Reject is useful for "trusted" IPs since they will not be forced into timeout and will get the answer immediately.
I use rejects e.g. for blocking some DNS requests. With a block the clients will run into timeouts, with reject they get the answer "not allowed" immediately and can try another request without waiting too long.
Yeah, I have to work on filtering alerts from Monit. I'm getting spammed by security researchers checking for vulnerabilities.
Currently, I just have content = "blocked" for my Surricata service tests. Is it possible to drop a file path in the Monit Service Tests Settings. I'm probably going to have to filter out a ton of junk.
Would content = "blocked" && ((content = "<test signature>" && content != "<ip address>") || /* more false positives */ ) be the right way to filter?