Feature #8311
closed
This is not going to happen as there is no need for all the necessary overhead persisting blocks would require. If Suricata blocks a packet stream once, it will block again should the stream be encountered later (and the same rules are still in force). So what would "persisting" the block accomplish? Suricata is still going to be examining all the traffic anyway. Suricata's engine is positioned before the firewall rules engine, so Suricata sees and examines everything including traffic the firewall will block.
I have addressed this several times on the pfSense sub-forum dedicated to IDS/IPS packages.
Bill
- Status changed from New to Rejected
Agreed, Bill. It's not worth the trouble to make them persist.
Also available in: Atom
PDF