help with getting rules to block not just Alert

[opnsense-user123]

Hello:

I tried to enable some intrusion prevention by following this guide: https://wiki.opnsense.org/manual/how-tos/ips-feodo.html

I believe I followed the steps correctly, including changing the default behavior 'change all alerts to drop actions' which I saved and updated. But when I look at the rules they still show the Action is Alert and under 'Alerts' I saw this which seems to indicate (though I'm not sure) a matched rule caused an alert not a block:

Code Select Expand

2017-12-30T16:22:00.512712+0000 allowed wan [redacted]  65264 69.192.76.62 443 SURICATA STREAM excessive retransmissions

It would be kind of tedius to switch all 3000 rules to block manually. Thanks for any help.

[opnsense-user123]

... I kept working on IPS, enabling some Snort rules, and restarted Suricata, and now when I look at the abuse.ch.sslblacklist.rules they are showing DROP. So, it fixed itself or else required a restart of Suricata service.

[dcol]

Changing all the rules to drop works but it takes a few minutes to propagate. Doesn't seem to have anything to do with restarting the Suricata service, although you have to restart the service to apply the rules.