Hello,
Suricata keeps blocking Microsoft Updates and Activation servers and driving me insane - i have a big list of subnets from Microsoft to add to the passlist but i cant seem to find how to import it anywhere.
https://www.microsoft.com/en-us/download/details.aspx?id=53602
Any help would be great on this.
Kind Regards,
Chris
Chris:
IP passlists are a custom feature available only within the pfSense Suricata package. You will do better to ask any questions about Suricata on pfSense at the Netgate forum here: IDS/IPS | Netgate Forum.
To answer your question, you create a Pass List using the PASS LIST tab in the GUI, then you must assign that Pass List to the desired interface by editing that Suricata interface, finding the Pass List drop-down selector and choosing the Pass List you created. Save the change on that page, then restart Suricata on the interface so that the running daemon will see the new assignment.
You can’t import Pass Lists. You must create them within the pfSense GUI. There is no method for importing a CSV such as the one you linked. You would need to type in the IP addresses or netblocks manually (or paste them in) putting one IP address or netblock on each individual line (no commas and no multiple entries on a single line).
Note that Pass Lists are only applicable to the custom Legacy Blocking Mode available only on pfSense. There are many Suricata customizations used in the pfSense package, that’s why it is not appropriate to ask about pfSense Suricata features on this forum. The users here will have no idea what you are talking about.
P.S. - I am the package creator/maintainer for Suricata on pfSense.