I’m still learning about Suricata 5.0.2 running on Pfsense 2.4.5. I still trying to get it to actually block reasonably. Stuff is appearing on the Blocks tab and I have “Block On DROP Only” set but I never get any actual DROPs, despite having Alerts and Blocks which should be blocked. I have both my LAN and WAN interfaces enabled and in legacy mode. There are no rules being added to the firewall to actually cause those blocks to do anything. Anyone what I’m missing to enable blocking?
Is there some way to get finer control on lifetime of blocks?
I’m looking for a way to long term block clearly malicious attack attempts. Blocking a scanner that goes too far for few hours is fine but only blocking an active attacker attempting to use exploits for a few hours isn’t reasonable. That means an attacker can retry many times a day. I’m looking for expiry in the months to never on serious attacks.