Core 131 Suricata status page?

General questions.
Post Reply
Davidvt
Posts: 15
Joined: April 22nd, 2012, 12:41 am

Core 131 Suricata status page?

Post by Davidvt » May 18th, 2019, 12:59 am

Hello
Looking at videos of other Suricata installs I saw a nice page with controls and stats. Is that somewhere in our new Core 131?

If not, where should I see a list of blocked IPs to verify that Suricata is doing it’s thing?

The old system had a long list of blocked IPs on the guardian page before I switched to 131.

Thank you and keep up the great work!

User avatar
Arne.F
Core Developer
Core Developer
Posts: 8182
Joined: May 7th, 2006, 8:57 am
Location: BS <-> NDH
Contact:

Re: Core 131 Suricata status page?

Post by Arne.F » May 18th, 2019, 9:24 am

Suricata in not blocking by IP Addresses. If traffic match to a rule it will blocked.

If suricate has blocked something you can see it in the log section 'IPS-Log'.

There is only a whitelist (IPs that schould not blocked even if the match by a rule)
Arne

Support the project on the donation!

Image

Image

Image
PS: I will not answer support questions via email and ignore IPFire related messages on my non IPFire.org mail addresses.

Davidvt
Posts: 15
Joined: April 22nd, 2012, 12:41 am

Re: Core 131 Suricata status page?

Post by Davidvt » May 18th, 2019, 10:42 am

Thank you for the education.

dnl
Posts: 341
Joined: June 28th, 2013, 11:03 am

Re: Core 131 Suricata status page?

Post by dnl » May 18th, 2019, 11:58 am

Arne.F wrote:
May 18th, 2019, 9:24 am
Suricata in not blocking by IP Addresses. If traffic match to a rule it will blocked.
In my opinion, that means that a major advantage of the IPS has been lost.

I want to block suspicious internet IPs (RED interface) which trigger rules. For example if a port scan rule is triggered, I don't want the IP which did the scan to be able to open connections for 24 hours - nor for systems on my network to contact it for that time.

Is this a limitation of suricata or due to the way it is implemented in IPFire?
Image

Davidvt
Posts: 15
Joined: April 22nd, 2012, 12:41 am

Re: Core 131 Suricata status page?

Post by Davidvt » May 18th, 2019, 2:27 pm

I am still looking for signs of active life with the new IPS.....
This is a firewall graph. The spike seems about when I turned ‘off’ monitor only on Suricata settings.
Do you believe that is Suricata doing it’s work or just a coincidence??
6E2958C2-A169-4666-9226-783644D7E6B8.jpeg
Thank you

dnl
Posts: 341
Joined: June 28th, 2013, 11:03 am

Re: Core 131 Suricata status page?

Post by dnl » May 19th, 2019, 5:36 am

Davidvt, I suspect that's a coincidence. Have you had a chance to look later and see if the pattern repeats?

Arne,
Could you please respond to my previous post when you're able?
I didn't realise the change to Suricata would have such a dramatic impact. (I imagine it's switching away from guardian which has changed things).
The wiki documentation doesn't detail this change.
Image

Post Reply