[Snort-users] howto convert snort alerts in to iptables rules? (like fail2ban does)

Joost Ringoot joost.ringoot at meteo.be
Fri Jun 21 08:30:31 EDT 2019

Hello Dorian 

Thank you for replying 

The main point is: snort does, by default not block what it detects. 

If an attack is detected, I would like the source to be blocked immediately, by converting the detected attack into a rule that blocks the attacking vector/host. 
If you have another method to convert a snort alert directly in a network block via netfilter or a kernelhook or something else, I would like to hear it from you. 

Best Regards, 


BTW: firewalld the current standard firewall for Linux still has iptables under the hood. 
BBTW: meanwhile I found something that may be promising: [ https://doc.emergingthreats.net/bin/view/Main/SnortSam | https://doc.emergingthreats.net/bin/view/Main/SnortSam ] 

From: "Dorian ROSSE" <dorianbrice at hotmail.fr> 
To: "Joost Ringoot" <joost.ringoot at meteo.be>, "snort-users" <snort-users at lists.snort.org> 
Sent: Friday, 21 June, 2019 13:52:07 
Subject: RE: howto convert snort alerts in to iptables rules? (like fail2ban does) 


Iptables is too much older, 

Iptables is too much insecure, 

It is the how I don’t use iptabLE finaly I can’t use IPFW modules on snort !!! 


Dorian ROSSE. 

Provenance : [ https://go.microsoft.com/fwlink/?LinkId=550986 |  Courrier ] pour Windows 10 

De : Snort-users <snort-users-bounces at lists.snort.org> de la part de Joost Ringoot <joost.ringoot at meteo.be> 
Envoyé : Friday, June 21, 2019 12:14:39 PM 
À : snort-users 
Objet : [Snort-users] howto convert snort alerts in to iptables rules? (like fail2ban does) 

Does anyone of you have experience in converting snort alerts into iptables rules, ... like fail2ban does? 

Did it work? 

If you think it is unfeasible or a bad idea, please explain. 



System Administrator 
Koninklijk Meteorologisch Instituut 
Institut Royal Météorologique 
Ringlaan 3 Avenue Circulaire 
1180 Brussel | Bruxelles 
+32 (0)2 373 06 75 
after office hours: 
+32 (0)2 373 06 83 
[ https://www.meteo.be/ | www.meteo.be ] 
[ https://www.facebook.com/kmi.be/ ] [ https://www.facebook.com/www.meteo.be/ ] 

Pensez à l'environnement, n'imprimez ce mail que si nécessaire 
Denk aan het milieu, print deze mail niet af tenzij echt nodig 
[ http://ec.europa.eu/environment/emas/register/search/registration.do?registrationId=582580 ] 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20190621/a0f2715b/attachment.html>

More information about the Snort-users mailing list