Thanks Peter for pointing me in right direction. I read the the request tracker entry and I also utilized the "Wish List" functionality to add a couple "wishes".

If anybody else wants to chime in or vote up(or down) or add recommendations, better idea, etc:

Add a "Black List" to Intrusion Prevention:
http://www.clearfoundation.com/Wishlist/comment/912-Intrusion-Prevention-quotBlack-Listquot.html

Add ability to adjust default IPS rule "block length" (globally):
http://www.clearfoundation.com/Wishlist/comment/913-Intrusion-Prevention-configurable-block-time.html

... and I'll do some reading on Suricata. Sounds interesting from quick Google.

- There's a related request in the tracker @ http://tracker.clearfoundation.com/view.php?id=609

- You can add feature requests via the "Wish List" system @ http://www.clearfoundation.com/Wishlist/ClearFoundation.html

Personally, I think a complete revamp using Suricata would be best -- that idea was thrown around for the ClearOS 7 roadmap!

Peter Baldwin wrote:

Unfortunately, the lockout time parameter is embedded in the individual intrusion detection rules. Here's an example, one of the rules in /etc/snort.d/rules/gpl/exploit.rules looks like:

alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"GPL EXPLOIT bootp x86 linux overflow"; content:"A90|C0 A8 01 01|/bin/sh|00|"; reference:cve,1999-0389; reference:cve,1999-0798; reference:cve,1999-0799; classtype:attempted-admin; sid:319; rev:5; fwsam: src, 86400 seconds;)

The bold part is where the lockout time is set. If you are running the ClearCenter Intrusion Protection list, there are nearly 1,000 entries like this (out of a total of 13,500+ intrusion detection rules)!

I came searching on this same question ... already basically seeing what you wrote ahead of time Peter (i.e., that the 86400 was on each individual rule).

It would be a nice feature to "parameterize" with a setting in the webgui for at least the paid IDS/IPS subscribers ... or even if not in the webgui via .conf file or something.

Alternatively, via the webgui give the user the option to add the IP to a permanent "black" list (i.e., the converse of the whitelist ... that would permanently block the IP until/unless otherwise removed)?

Is this achievable? Can I submit this feature request? If so, how?

Unfortunately, the lockout time parameter is embedded in the individual intrusion detection rules. Here's an example, one of the rules in /etc/snort.d/rules/gpl/exploit.rules looks like:

alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"GPL EXPLOIT bootp x86 linux overflow"; content:"A90|C0 A8 01 01|/bin/sh|00|"; reference:cve,1999-0389; reference:cve,1999-0798; reference:cve,1999-0799; classtype:attempted-admin; sid:319; rev:5; fwsam: src, 86400 seconds;)

The bold part is where the lockout time is set. If you are running the ClearCenter Intrusion Protection list, there are nearly 1,000 entries like this (out of a total of 13,500+ intrusion detection rules)!