[Snort-users] howto convert snort alerts in to iptables rules? (like fail2ban does)

Joost Ringoot joost.ringoot at meteo.be
Fri Jun 21 09:31:47 EDT 2019


Thanks Ryan, 

indeed inline mode, I will rtfm some more now :-) 

> From: "Ryan Buzzell" <rbuzzellcsh at gmail.com>
> To: "Dorian ROSSE" <dorianbrice at hotmail.fr>, "Joost Ringoot"
> <joost.ringoot at meteo.be>
> Cc: "snort-users" <snort-users at lists.snort.org>
> Sent: Friday, 21 June, 2019 14:33:52
> Subject: Re: [Snort-users] howto convert snort alerts in to iptables rules?
> (like fail2ban does)

> Hello,

> What you're looking for is snort IPS or snort in-line mode.
> On Jun 21, 2019, 08:30 -0400, Joost Ringoot <joost.ringoot at meteo.be>, wrote:

>> Hello Dorian

>> Thank you for replying

>> The main point is: snort does, by default not block what it detects.

>> If an attack is detected, I would like the source to be blocked immediately, by
>> converting the detected attack into a rule that blocks the attacking
>> vector/host.
>> If you have another method to convert a snort alert directly in a network block
>> via netfilter or a kernelhook or something else, I would like to hear it from
>> you.

>> Best Regards,

>> Joost

>> BTW: firewalld the current standard firewall for Linux still has iptables under
>> the hood.
>> BBTW: meanwhile I found something that may be promising: [
>> https://doc.emergingthreats.net/bin/view/Main/SnortSam |
>> https://doc.emergingthreats.net/bin/view/Main/SnortSam ]

>>> From: "Dorian ROSSE" <dorianbrice at hotmail.fr>
>>> To: "Joost Ringoot" <joost.ringoot at meteo.be>, "snort-users"
>>> <snort-users at lists.snort.org>
>>> Sent: Friday, 21 June, 2019 13:52:07
>>> Subject: RE: howto convert snort alerts in to iptables rules? (like fail2ban
>>> does)

>>> Iptables is too much older,

>>> Iptables is too much insecure,

>>> It is the how I don’t use iptabLE finaly I can’t use IPFW modules on snort !!!

>>> Regards.

>>> Dorian ROSSE.

>>> Provenance : [ https://go.microsoft.com/fwlink/?LinkId=550986 | Courrier ] pour
>>> Windows 10

>>> De : Snort-users <snort-users-bounces at lists.snort.org> de la part de Joost
>>> Ringoot <joost.ringoot at meteo.be>
>>> Envoyé : Friday, June 21, 2019 12:14:39 PM
>>> À : snort-users
>>> Objet : [Snort-users] howto convert snort alerts in to iptables rules? (like
>>> fail2ban does)
>>> Hello,

>>> Does anyone of you have experience in converting snort alerts into iptables
>>> rules, ... like fail2ban does?

>>> Did it work?

>>> If you think it is unfeasible or a bad idea, please explain.

>>> Thanks,

>>> Joost

>>> KMI - IRM
>>> Joost RINGOOT
>>> System Administrator
>>> Koninklijk Meteorologisch Instituut
>>> Institut Royal Météorologique
>>> Ringlaan 3 Avenue Circulaire
>>> 1180 Brussel | Bruxelles
>>> +32 (0)2 373 06 75
>>> after office hours:
>>> +32 (0)2 373 06 83
>>> [ https://www.meteo.be/ | www.meteo.be ]
>>> [ https://www.facebook.com/kmi.be/ ] [ https://www.facebook.com/www.meteo.be/ ]

>>> Pensez à l'environnement, n'imprimez ce mail que si nécessaire
>>> Denk aan het milieu, print deze mail niet af tenzij echt nodig
>>> [
>>> http://ec.europa.eu/environment/emas/register/search/registration.do?registrationId=582580
>>> ]

>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.snort.org
>> Go to this URL to change user options or unsubscribe:
>> https://lists.snort.org/mailman/listinfo/snort-users

>> To unsubscribe, send an email to:
>> snort-users-leave at lists.snort.org

>> Please visit http://blog.snort.org to stay current on all the latest Snort news!

>> Please follow these rules:
>> https://snort.org/faq/what-is-the-mailing-list-etiquette
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20190621/07ff85d7/attachment.html>


More information about the Snort-users mailing list