How to block ET CINS Active Threat Intelligence Poor Reputation?

[FarmServer]

I would like to block the IP addresses in the various "IP Groups" from this list but I cant seem to get the policy correct. Some remain allowed, and others are blocked.

I have CINS selected in the tag drop down menu and "new action" set to drop but for this one list that does not seem to be enough to get suricata to actually drop everything from this ET CINS list.

The IPs involved arent being flagged by other lists first, it just seems like something about this list is still overriding my attempts to drop the connection.

[abulafia]

For blocking all traffic to certain IPs, use IP Blocklists, not suricata - much faster.

1. Define a URL table alias with your IP source
2. Employ a firewall rule(s) to block all traffic from/to that alias.

[andrewoliv]

Thank you for this suggestion.

I have become very frustrated with defining Suricata policies.  I finally got the rules loaded but still get an error message that says the rules are not installed properly.(No indication as to which ones.....)

Suricata seems to detect lots of DNS queries it doesn't understand, not sure how malicious those queries are, I dont like the DNS queries are destined for some obscure DNS server other than DNS server I have defined running DNSSEC and TLS.

In addition the policies I define in Suricata have zero effect on the actual rule.  Lots of "Alert" but no "Drop" like the policy states.

Anyway anything I can do in the FW vs Suricata is very welcome.

I'm sure the issue I am having with Suricata is me and not the software but I cannot seem to find a guide that addresses any of these issues.

[FarmServer]

Getting the policy to drop properly would be ideal for me since the list gets updated from time to time. I frequently need to access the network from random locations and machines so I cant just blot out whole IP ranges or restrict to certain devices.

Its also just a bit frustrating that using the policy to drop anything with the CINS tag doesnt seem to actually do that. It seems to be the only policy this does not work on.

[abulafia]

Getting the policy to drop properly would be ideal for me since the list gets updated from time to time. I frequently need to access the network from random locations and machines so I cant just blot out whole IP ranges or restrict to certain devices.

I don't get this - what difference does it make it traffic is blocked or dropped?

The URL alias gets updated automatically too, you know ...