I have started using the IPS feature of Suricata and plugged some own rules. Alerts and Drops work fine.
I would like to enhance the setup by temporarily blacklisting IPs that match rules, i.e. something like fwsam:src, 60 minutes;
After reading the first three dozen sites on this topic I concluded that this is not possible with suricata as installed on opnsense.
Is this the right conclusion?
Is there a workaround? Triggering an action when suricata matches a rule and add the ip to a fw table? And have a periodic cron job expire the ips?
I appreciate any advise on this topic.
Cheers,
Keve