Suricata permits traffic despite being blocked in the log.

Started by mucflyer, November 07, 2019, 12:09:46 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 07, 2019, 12:09:46 PM
Hi all
Configured Suricata, enabled, IPS mode enabled, ET telemtry rules downloaded and enabled. Under alert I see SSH scan has been blocked, however I have NAT to internal SSH gateway, and I see IP which should be blocked is reaching gateway...

2019-11-07T12:05:40.644965+0100   2001219   blocked   WAN   185.232.x.x   62920   x.x.x.x   22   ET SCAN Potential SSH Scan

Why is permited ?
November 19, 2019, 11:18:28 AM #1
Example below, Suricata shows blocked in Alerts, but on Gateway I can see that IP connected. OPNSense restarted, Gateway restarted.

Print
Go Up Pages1
User actions