I got Suricata installed and operating. I found, oddly, that the highest volume of packet errors alerted was to/from Symantec IPs. I added that subnet as "trusted" but apparently that doesn't take effect unless automatic blocking is also enabled. I have not had much luck having it actually suppress the alerts though... I edited the Suppress rules to use a subnet, which seems to be allowed, like so:
#SURICATA STREAM Packet with invalid ack suppress gen_id 1, sig_id 2210045, track by_dst, ip 143.127.136.0/24 ...and then disabled and re-enabled Suricata on the WAN interface. However, IPs from within that /24 still show in the Alerts tab? -- Steve Yates ITS, Inc. _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
