For posterity, I found references in the web forum that the "stream"
rules basically don't work the way IDS is set up on pfSense so should be
disabled. I believe the issue is that it looks at the traffic in parallel so
packets might be processed out of order.
Still not sure why it wasn't honoring the Suppress instruction.
--
Steve Yates
ITS, Inc.
Steve Yates wrote on Mon, Jul 13 2015 at 3:16 pm:
> I got Suricata installed and operating. I found, oddly, that the
> highest
> volume of packet errors alerted was to/from Symantec IPs. I added that
> subnet as "trusted" but apparently that doesn't take effect unless automatic
> blocking is also enabled. I have not had much luck having it actually
> suppress
> the alerts though... I edited the Suppress rules to use a subnet, which seems
> to be allowed, like so:
>
> #SURICATA STREAM Packet with invalid ack
> suppress gen_id 1, sig_id 2210045, track by_dst, ip 143.127.136.0/24
>
> ...and then disabled and re-enabled Suricata on the WAN interface. However,
> IPs from within that /24 still show in the Alerts tab?
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
