I am new to using suricata and was wondering when a rule blocks an Ip address how long is it blocked for and can I change the length of time a rule blocks an ip address. Also how would I unblock an ip that was blocked that is a false positive.
The length of time is set in the rule if it isnt a permanent block
To change block time you have to change it in the rule on your system, be aware it resets when rules are downloaded again
On your system get the rule, change it, put it back via sftp
Never heard of or seen a false positive
Rules are set to trigger, it isnt false
Would need more information on that
Thanks for the reply. I can see that now. About the false positives. I have suricata monitoring the wan with zenarmor on the lan. I have read the there are a lot of false positives from noise" that firewall rules are likely to drop anyway.