Suricata IPS Unblocking a blocked Ip address

Started by Meg, February 28, 2025, 12:21:58 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 28, 2025, 12:21:58 AM
I am new to using suricata and was wondering when a rule blocks an Ip address how long is it blocked for and can I change the length of time a rule blocks an ip address. Also how would I unblock an ip that was blocked that is a false positive.
March 16, 2025, 02:51:57 AM #1
The length of time is set in the rule if it isnt a permanent block
To change block time you have to change it in the rule on your system, be aware it resets when rules are downloaded again
On your system get the rule, change it, put it back via sftp
Never heard of or seen a false positive
Rules are set to trigger, it isnt false
Would need more information on that
March 16, 2025, 06:08:27 PM #2
Thanks for the reply. I can see that now. About the false positives. I have suricata monitoring the wan with zenarmor on the lan. I have read the there are a lot of false positives from noise" that firewall rules are likely to drop anyway.
May 06, 2025, 08:05:57 PM #3
There is no such thing as a false positive in opnsense. There may be a blocked IP that you want to go to but thats not false. Its set to trigger on that IP. Such as social media, there are rules to block them, reason, to stop beacons and being sent there by other means when you didnt want to go there. Like anchors within something you click on. If you have found say a social media site's IP that is blcked and you want to go there. Two options. Create a policy that blocks social media ruleset. Then disable the ruleset when you want to go there, then can enable it again. Or can search in the rules box by typing social media, or facebook and it will show rules associated with that and you can adjust the rule action that way. But policies are better as they wont bog down the engine by to many individual changes. Hope that helps
Print
Go Up Pages1
User actions