[Snort-users] howto convert snort alerts in to iptables rules? (like fail2ban does)

Dorian ROSSE dorianbrice at hotmail.fr
Fri Jun 21 08:41:00 EDT 2019


If you really want use iptable I found It insteristing :

https://www.cipherdyne.org/fwsnort/

It explain by a web rules how to set the rules by a iptables IPS / IDS snort programs

Provenance : Courrier<https://go.microsoft.com/fwlink/?LinkId=550986> pour Windows 10

________________________________
De : Ryan Buzzell <rbuzzellcsh at gmail.com>
Envoyé : Friday, June 21, 2019 2:33:52 PM
À : Dorian ROSSE; Joost Ringoot
Cc : Dorian ROSSE via Snort-users
Objet : Re: [Snort-users] howto convert snort alerts in to iptables rules? (like fail2ban does)

Hello,

What you're looking for is snort IPS or snort in-line mode.
On Jun 21, 2019, 08:30 -0400, Joost Ringoot <joost.ringoot at meteo.be>, wrote:
Hello Dorian

Thank you for replying

The main point is: snort does, by default not block what it detects.

If an attack is detected, I would like the source to be blocked immediately, by converting the detected attack into a rule that blocks the attacking vector/host.
If you have another method to convert a snort alert directly in a network block via netfilter or a kernelhook or something else, I would like to hear it from you.


Best Regards,

Joost

BTW: firewalld the current standard firewall for Linux still has iptables under the hood.
BBTW: meanwhile I found something that may be promising: https://doc.emergingthreats.net/bin/view/Main/SnortSam

________________________________
From: "Dorian ROSSE" <dorianbrice at hotmail.fr>
To: "Joost Ringoot" <joost.ringoot at meteo.be>, "snort-users" <snort-users at lists.snort.org>
Sent: Friday, 21 June, 2019 13:52:07
Subject: RE: howto convert snort alerts in to iptables rules? (like fail2ban does)
Iptables is too much older,

Iptables is too much insecure,

It is the how I don’t use iptabLE finaly I can’t use IPFW modules on snort !!!

Regards.


Dorian ROSSE.

Provenance : Courrier<https://go.microsoft.com/fwlink/?LinkId=550986> pour Windows 10

________________________________
De : Snort-users <snort-users-bounces at lists.snort.org> de la part de Joost Ringoot <joost.ringoot at meteo.be>
Envoyé : Friday, June 21, 2019 12:14:39 PM
À : snort-users
Objet : [Snort-users] howto convert snort alerts in to iptables rules? (like fail2ban does)

Hello,

Does anyone of you have experience in converting snort alerts into iptables rules, ... like fail2ban does?

Did it work?

If you think it is unfeasible or a bad idea, please explain.

Thanks,

Joost


________________________________
[KMI-IRM]
KMI - IRM
Joost RINGOOT
System Administrator
Koninklijk Meteorologisch Instituut
Institut Royal Météorologique
Ringlaan 3 Avenue Circulaire
1180 Brussel | Bruxelles
[https://www.meteo.be/gfx/Logos/phone_small.png]+32 (0)2 373 06 75
after office hours:
[https://www.meteo.be/gfx/Logos/phone_small.png]+32 (0)2 373 06 83
[https://www.meteo.be/gfx/Logos/link_small.png]www.meteo.be<https://www.meteo.be>
[Facebookpagina van het KMI]<https://www.facebook.com/kmi.be/>[Page Facebook IRM]<https://www.facebook.com/www.meteo.be/>
________________________________
Pensez à l'environnement, n'imprimez ce mail que si nécessaire
Denk aan het milieu, print deze mail niet af tenzij echt nodig
[EMAS]<http://ec.europa.eu/environment/emas/register/search/registration.do?registrationId=582580>

_______________________________________________
Snort-users mailing list
Snort-users at lists.snort.org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

To unsubscribe, send an email to:
snort-users-leave at lists.snort.org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20190621/4dfa7a7d/attachment.html>


More information about the Snort-users mailing list