[Snort-users] howto convert snort alerts in to iptables rules? (like fail2ban does)

Dorian ROSSE dorianbrice at hotmail.fr
Fri Jun 21 08:35:31 EDT 2019


I think you don’t know where I want to drive yourself,

A lot of program linux are hijack by perl program,

If you can’t use iptable which snort It is a perl patch,

If you want I will search how to use snort which iptables but don’t forget that the laser IP firewall is UFW !

Regards.


Dorian ROSSE.

Provenance : Courrier<https://go.microsoft.com/fwlink/?LinkId=550986> pour Windows 10

________________________________
De : Joost Ringoot <joost.ringoot at meteo.be>
Envoyé : Friday, June 21, 2019 2:30:31 PM
À : Dorian ROSSE
Cc : snort-users
Objet : Re: howto convert snort alerts in to iptables rules? (like fail2ban does)

Hello Dorian

Thank you for replying

The main point is: snort does, by default not block what it detects.

If an attack is detected, I would like the source to be blocked immediately, by converting the detected attack into a rule that blocks the attacking vector/host.
If you have another method to convert a snort alert directly in a network block via netfilter or a kernelhook or something else, I would like to hear it from you.


Best Regards,

Joost

BTW: firewalld the current standard firewall for Linux still has iptables under the hood.
BBTW: meanwhile I found something that may be promising: https://doc.emergingthreats.net/bin/view/Main/SnortSam

________________________________
From: "Dorian ROSSE" <dorianbrice at hotmail.fr>
To: "Joost Ringoot" <joost.ringoot at meteo.be>, "snort-users" <snort-users at lists.snort.org>
Sent: Friday, 21 June, 2019 13:52:07
Subject: RE: howto convert snort alerts in to iptables rules? (like fail2ban does)
Iptables is too much older,

Iptables is too much insecure,

It is the how I don’t use iptabLE finaly I can’t use IPFW modules on snort !!!

Regards.


Dorian ROSSE.

Provenance : Courrier<https://go.microsoft.com/fwlink/?LinkId=550986> pour Windows 10

________________________________
De : Snort-users <snort-users-bounces at lists.snort.org> de la part de Joost Ringoot <joost.ringoot at meteo.be>
Envoyé : Friday, June 21, 2019 12:14:39 PM
À : snort-users
Objet : [Snort-users] howto convert snort alerts in to iptables rules? (like fail2ban does)

Hello,

Does anyone of you have experience in converting snort alerts into iptables rules, ... like fail2ban does?

Did it work?

If you think it is unfeasible or a bad idea, please explain.

Thanks,

Joost


________________________________
[KMI-IRM]
KMI - IRM
Joost RINGOOT
System Administrator
Koninklijk Meteorologisch Instituut
Institut Royal Météorologique
Ringlaan 3 Avenue Circulaire
1180 Brussel | Bruxelles
[https://www.meteo.be/gfx/Logos/phone_small.png]+32 (0)2 373 06 75
after office hours:
[https://www.meteo.be/gfx/Logos/phone_small.png]+32 (0)2 373 06 83
[https://www.meteo.be/gfx/Logos/link_small.png]www.meteo.be<https://www.meteo.be>
[Facebookpagina van het KMI]<https://www.facebook.com/kmi.be/>[Page Facebook IRM]<https://www.facebook.com/www.meteo.be/>
________________________________
Pensez à l'environnement, n'imprimez ce mail que si nécessaire
Denk aan het milieu, print deze mail niet af tenzij echt nodig
[EMAS]<http://ec.europa.eu/environment/emas/register/search/registration.do?registrationId=582580>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20190621/e53112de/attachment.html>


More information about the Snort-users mailing list