The pfSense Store

Author Topic: About the New Block-on-Drops Only Option in Suricata 4.0.0  (Read 797 times)

0 Members and 1 Guest are viewing this topic.

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3148
  • Karma: +816/-0
    • View Profile
About the New Block-on-Drops Only Option in Suricata 4.0.0
« on: August 17, 2017, 07:33:28 am »
Version 4.0.0 of the Suricata package contains a new option on the INTERFACE SETTINGS tab in the section where blocking is configured.  The new option is called Block Drops Only.  It applies only to Legacy Blocking Mode operation.  If you use the Inline IPS mode for blocking, then this new option is not used and is in fact hidden by the GUI code when Inline IPS mode is enabled.

The new option allows Legacy Blocking Mode users the same flexibility with rule actions as Inline IPS Mode users enjoy.  That would be the ability to use the SID MGMT tab options to turn individual rules (or entire rule categories) from ALERT to DROP action.  So now with the new option enabled, rules that have the ALERT action keyword (the first word of the rule signature text) will only generate alerts in the log on the ALERTS tab but no blocks.  Only rules with the DROP action keyword will generate blocks that show up on the BLOCKS tab.  You have to specifically enable this behavior by checking the box to enable this new option on the INTERFACE SETTINGS tab.  Then you will need to restart Suricata for the change to take effect.  If you leave this new option unchecked, which is the default, then Legacy Mode operation continues to function as it always has whereby every rule firing will generate a block (assuming the IP address of the offender is not in a Pass List configured on the interface).

Bill

Offline dcol

  • Full Member
  • ***
  • Posts: 193
  • Karma: +7/-5
    • View Profile
Re: About the New Block-on-Drops Only Option in Suricata 4.0.0
« Reply #1 on: October 26, 2017, 05:12:11 pm »
I am a bit unclear about this option in Legacy Mode.
So if Block Drops Only is enabled, the only rules/categories that are blocked are ones specified in the dropsid.conf file. Correct?
Will the drops only appear in the alerts in red like in inline mode, or will they be in the block tab?
« Last Edit: October 26, 2017, 05:30:17 pm by dcol »

Offline dcol

  • Full Member
  • ***
  • Posts: 193
  • Karma: +7/-5
    • View Profile
Re: About the New Block-on-Drops Only Option in Suricata 4.0.0
« Reply #2 on: November 02, 2017, 09:41:52 am »
So it appears that when you select Block Drops Only the blocks do appear in red in alerts, but they also appear in the block list. So the results are not just like Inline where nothing appears in the block list.

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3148
  • Karma: +816/-0
    • View Profile
Re: About the New Block-on-Drops Only Option in Suricata 4.0.0
« Reply #3 on: November 04, 2017, 08:39:47 am »
So it appears that when you select Block Drops Only the blocks do appear in red in alerts, but they also appear in the block list. So the results are not just like Inline where nothing appears in the block list.

This is because Inline IPS Mode operates fundamentally different from Legacy Mode.  Go read this thread for details:  https://forum.pfsense.org/index.php?topic=135331.0.  The BLOCKS tab GUI code simply displays the contents of the snort2c packet filter firewall table.  When using Inline IPS Mode, that table is not used so there is nothing for the GUI code to read and display.

Bill