Project

General

Profile

Actions
Copy link

Feature #8311

closed

Suricata persistent blocks

Added by Jon Shoulders about 6 years ago. Updated about 6 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
Suricata
Target version:
-
Start date:
02/04/2018
Due date:
% Done:

0%

Estimated time:
Plus Target Version:

Description

Please make blocks with suricata persistent through reboot.

Actions
Copy link
 #1

Updated by Bill Meeks about 6 years ago

This is not going to happen as there is no need for all the necessary overhead persisting blocks would require. If Suricata blocks a packet stream once, it will block again should the stream be encountered later (and the same rules are still in force). So what would "persisting" the block accomplish? Suricata is still going to be examining all the traffic anyway. Suricata's engine is positioned before the firewall rules engine, so Suricata sees and examines everything including traffic the firewall will block.

I have addressed this several times on the pfSense sub-forum dedicated to IDS/IPS packages.

Bill

Actions
Copy link
 #2

Updated by Jim Pingle about 6 years ago

  • Status changed from New to Rejected

Agreed, Bill. It's not worth the trouble to make them persist.

Actions
Copy link

Also available in: Atom PDF