For posterity, I found references in the web forum that the "stream" rules basically don't work the way IDS is set up on pfSense so should be disabled. I believe the issue is that it looks at the traffic in parallel so packets might be processed out of order.
Still not sure why it wasn't honoring the Suppress instruction. -- Steve Yates ITS, Inc. Steve Yates wrote on Mon, Jul 13 2015 at 3:16 pm: > I got Suricata installed and operating. I found, oddly, that the > highest > volume of packet errors alerted was to/from Symantec IPs. I added that > subnet as "trusted" but apparently that doesn't take effect unless automatic > blocking is also enabled. I have not had much luck having it actually > suppress > the alerts though... I edited the Suppress rules to use a subnet, which seems > to be allowed, like so: > > #SURICATA STREAM Packet with invalid ack > suppress gen_id 1, sig_id 2210045, track by_dst, ip 143.127.136.0/24 > > ...and then disabled and re-enabled Suricata on the WAN interface. However, > IPs from within that /24 still show in the Alerts tab? _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold