After wresting with ET Telemetry Pro on OPNsense (and losing), I removed it and moved to ET Open. I turned a few on, like dshield, drop, and compromised.
What I noticed was that all of these come with rules that say ‘alert’, and not ‘block’. That surprised me. Why is that and how do I make Suricata to block them?
I am using Suricata on OPNsense 22
You can make Suricata block them by changing “alert” to “drop” in the rules.
It was set to alert by default since most of them do not require a block, for example “ET Info” alerts are informational and dose not indicate malicious activity.
So it is up to the user to decide what to block.