OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: mucflyer on November 07, 2019, 12:09:46 pm

Title: Suricata permits traffic despite being blocked in the log.
Post by: mucflyer on November 07, 2019, 12:09:46 pm

Hi all
Configured Suricata, enabled, IPS mode enabled, ET telemtry rules downloaded and enabled. Under alert I see SSH scan has been blocked, however I have NAT to internal SSH gateway, and I see IP which should be blocked is reaching gateway...

2019-11-07T12:05:40.644965+0100   2001219   blocked   WAN   185.232.x.x   62920   x.x.x.x   22   ET SCAN Potential SSH Scan

Why is permited ?

Title: Re: Suricata permits traffic despite being blocked in the log.
Post by: mucflyer on November 19, 2019, 11:18:28 am

Example below, Suricata shows blocked in Alerts, but on Gateway I can see that IP connected. OPNSense restarted, Gateway restarted.