Yes, that is the approach I would look at. Note that if you do go with a rule per block you still don’t need to restart Suricata, you can just trigger a reload. But its probably not something you would want to do in an automated fashion as its quite intensive compared to dynamically updating a dataset.
1 Like