Hi all,
Im new with Suricata (ver. 7.0.8) running on PFSense (ver. 2.7.2). My question, is it possible to configure Suricata IDPS (Legacy or Inline) to block all traffic, but allow the traffic pointed in SID allow list via the SID Management? I understand that IPS in legacy mode wont really drop packets directly like inline IPS.
In my situation which is better option Legacy or Inline?
Also is there a solution which can collect blocked or suspicious traffic from few Suricata instances to central console perhaps via syslog?
Thank you in advance.