[Snort-users] howto convert snort alerts in to iptables rules? (like fail2ban does)

Al Lewis (allewi) allewi at cisco.com
Fri Jun 21 08:37:04 EDT 2019


“snort does, by default not block what it detects.”?

Have you placed snort inline and the set the rules to drop?

Albert Lewis
Cisco Systems Inc.
Email: allewi at cisco.com<mailto:allewi at cisco.com>

From: Snort-users <snort-users-bounces at lists.snort.org> on behalf of Joost Ringoot <joost.ringoot at meteo.be>
Date: Friday, June 21, 2019 at 8:34 AM
To: Dorian ROSSE <dorianbrice at hotmail.fr>
Cc: snort-users <snort-users at lists.snort.org>
Subject: Re: [Snort-users] howto convert snort alerts in to iptables rules? (like fail2ban does)

Hello Dorian

Thank you for replying

The main point is: snort does, by default not block what it detects.

If an attack is detected, I would like the source to be blocked immediately, by converting the detected attack into a rule that blocks the attacking vector/host.
If you have another method to convert a snort alert directly in a network block via netfilter or a kernelhook or something else, I would like to hear it from you.

Best Regards,


BTW: firewalld the current standard firewall for Linux still has iptables under the hood.
BBTW: meanwhile I found something that may be promising: https://doc.emergingthreats.net/bin/view/Main/SnortSam
From: "Dorian ROSSE" <dorianbrice at hotmail.fr>
To: "Joost Ringoot" <joost.ringoot at meteo.be>, "snort-users" <snort-users at lists.snort.org>
Sent: Friday, 21 June, 2019 13:52:07
Subject: RE: howto convert snort alerts in to iptables rules? (like fail2ban does)
Iptables is too much older,

Iptables is too much insecure,

It is the how I don’t use iptabLE finaly I can’t use IPFW modules on snort !!!


Dorian ROSSE.

Provenance : Courrier<https://go.microsoft.com/fwlink/?LinkId=550986> pour Windows 10

De : Snort-users <snort-users-bounces at lists.snort.org> de la part de Joost Ringoot <joost.ringoot at meteo.be>
Envoyé : Friday, June 21, 2019 12:14:39 PM
À : snort-users
Objet : [Snort-users] howto convert snort alerts in to iptables rules? (like fail2ban does)


Does anyone of you have experience in converting snort alerts into iptables rules, ... like fail2ban does?
Did it work?

If you think it is unfeasible or a bad idea, please explain.



[Image removed by sender. KMI-IRM]
System Administrator
Koninklijk Meteorologisch Instituut
Institut Royal Météorologique
Ringlaan 3 Avenue Circulaire
1180 Brussel | Bruxelles
[Image removed by sender.]+32 (0)2 373 06 75
after office hours:
[Image removed by sender.]+32 (0)2 373 06 83
[Image removed by sender.]www.meteo.be<https://www.meteo.be>
[Image removed by sender. Facebookpagina van het KMI]<https://www.facebook.com/kmi.be/>[Image removed by sender. Page Facebook IRM]<https://www.facebook.com/www.meteo.be/>
Pensez à l'environnement, n'imprimez ce mail que si nécessaire
Denk aan het milieu, print deze mail niet af tenzij echt nodig
[Image removed by sender. EMAS]<http://ec.europa.eu/environment/emas/register/search/registration.do?registrationId=582580>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20190621/fd3967b1/attachment.html>

More information about the Snort-users mailing list