Hello:
I tried to enable some intrusion prevention by following this guide: https://wiki.opnsense.org/manual/how-tos/ips-feodo.html
I believe I followed the steps correctly, including changing the default behavior 'change all alerts to drop actions' which I saved and updated. But when I look at the rules they still show the Action is Alert and under 'Alerts' I saw this which seems to indicate (though I'm not sure) a matched rule caused an alert not a block:
2017-12-30T16:22:00.512712+0000 allowed wan [redacted] 65264 69.192.76.62 443 SURICATA STREAM excessive retransmissions
It would be kind of tedius to switch all 3000 rules to block manually. Thanks for any help.
... I kept working on IPS, enabling some Snort rules, and restarted Suricata, and now when I look at the abuse.ch.sslblacklist.rules they are showing DROP. So, it fixed itself or else required a restart of Suricata service.
Changing all the rules to drop works but it takes a few minutes to propagate. Doesn't seem to have anything to do with restarting the Suricata service, although you have to restart the service to apply the rules.