[Snort-users] howto convert snort alerts in to iptables rules? (like fail2ban does)
joost.ringoot at meteo.be
Fri Jun 21 09:31:47 EDT 2019
indeed inline mode, I will rtfm some more now :-)
> From: "Ryan Buzzell" <rbuzzellcsh at gmail.com>
> To: "Dorian ROSSE" <dorianbrice at hotmail.fr>, "Joost Ringoot"
> <joost.ringoot at meteo.be>
> Cc: "snort-users" <snort-users at lists.snort.org>
> Sent: Friday, 21 June, 2019 14:33:52
> Subject: Re: [Snort-users] howto convert snort alerts in to iptables rules?
> (like fail2ban does)
> What you're looking for is snort IPS or snort in-line mode.
> On Jun 21, 2019, 08:30 -0400, Joost Ringoot <joost.ringoot at meteo.be>, wrote:
>> Hello Dorian
>> Thank you for replying
>> The main point is: snort does, by default not block what it detects.
>> If an attack is detected, I would like the source to be blocked immediately, by
>> converting the detected attack into a rule that blocks the attacking
>> If you have another method to convert a snort alert directly in a network block
>> via netfilter or a kernelhook or something else, I would like to hear it from
>> Best Regards,
>> BTW: firewalld the current standard firewall for Linux still has iptables under
>> the hood.
>> BBTW: meanwhile I found something that may be promising: [
>> https://doc.emergingthreats.net/bin/view/Main/SnortSam |
>> https://doc.emergingthreats.net/bin/view/Main/SnortSam ]
>>> From: "Dorian ROSSE" <dorianbrice at hotmail.fr>
>>> To: "Joost Ringoot" <joost.ringoot at meteo.be>, "snort-users"
>>> <snort-users at lists.snort.org>
>>> Sent: Friday, 21 June, 2019 13:52:07
>>> Subject: RE: howto convert snort alerts in to iptables rules? (like fail2ban
>>> Iptables is too much older,
>>> Iptables is too much insecure,
>>> It is the how I don’t use iptabLE finaly I can’t use IPFW modules on snort !!!
>>> Dorian ROSSE.
>>> Provenance : [ https://go.microsoft.com/fwlink/?LinkId=550986 | Courrier ] pour
>>> Windows 10
>>> De : Snort-users <snort-users-bounces at lists.snort.org> de la part de Joost
>>> Ringoot <joost.ringoot at meteo.be>
>>> Envoyé : Friday, June 21, 2019 12:14:39 PM
>>> À : snort-users
>>> Objet : [Snort-users] howto convert snort alerts in to iptables rules? (like
>>> fail2ban does)
>>> Does anyone of you have experience in converting snort alerts into iptables
>>> rules, ... like fail2ban does?
>>> Did it work?
>>> If you think it is unfeasible or a bad idea, please explain.
>>> KMI - IRM
>>> Joost RINGOOT
>>> System Administrator
>>> Koninklijk Meteorologisch Instituut
>>> Institut Royal Météorologique
>>> Ringlaan 3 Avenue Circulaire
>>> 1180 Brussel | Bruxelles
>>> +32 (0)2 373 06 75
>>> after office hours:
>>> +32 (0)2 373 06 83
>>> [ https://www.meteo.be/ | www.meteo.be ]
>>> [ https://www.facebook.com/kmi.be/ ] [ https://www.facebook.com/www.meteo.be/ ]
>>> Pensez à l'environnement, n'imprimez ce mail que si nécessaire
>>> Denk aan het milieu, print deze mail niet af tenzij echt nodig
>> Snort-users mailing list
>> Snort-users at lists.snort.org
>> Go to this URL to change user options or unsubscribe:
>> To unsubscribe, send an email to:
>> snort-users-leave at lists.snort.org
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>> Please follow these rules:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users