[Snort-users] howto convert snort alerts in to iptables rules? (like fail2ban does)

Steeve McCauley steeve.mccauley at gmail.com
Fri Jun 21 09:11:23 EDT 2019


Alert vs drop?

http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node29.html

On Fri, Jun 21, 2019 at 9:09 AM Al Lewis (allewi) via Snort-users <
snort-users at lists.snort.org> wrote:

> Hello,
>
>
>
> “snort does, by default not block what it detects.”?
>
>
>
> Have you placed snort inline and the set the rules to drop?
>
>
>
>
>
> *Albert Lewis*
>
> ENGINEER.SOFTWARE ENGINEERING
>
> Cisco Systems Inc.
>
> Email: allewi at cisco.com
>
>
>
>
>
>
>
> *From: *Snort-users <snort-users-bounces at lists.snort.org> on behalf of
> Joost Ringoot <joost.ringoot at meteo.be>
> *Date: *Friday, June 21, 2019 at 8:34 AM
> *To: *Dorian ROSSE <dorianbrice at hotmail.fr>
> *Cc: *snort-users <snort-users at lists.snort.org>
> *Subject: *Re: [Snort-users] howto convert snort alerts in to iptables
> rules? (like fail2ban does)
>
>
>
> Hello Dorian
>
>
>
> Thank you for replying
>
>
>
> The main point is: snort does, by default not block what it detects.
>
>
> If an attack is detected, I would like the source to be blocked
> immediately, by converting the detected attack into a rule that blocks the
> attacking vector/host.
> If you have another method to convert a snort alert directly in a network
> block via netfilter or a kernelhook or something else, I would like to hear
> it from you.
>
>
>
> Best Regards,
>
>
>
> Joost
>
>
>
> BTW: firewalld the current standard firewall for Linux still has iptables
> under the hood.
>
> BBTW: meanwhile I found something that may be promising:
> https://doc.emergingthreats.net/bin/view/Main/SnortSam
> ------------------------------
>
> *From: *"Dorian ROSSE" <dorianbrice at hotmail.fr>
> *To: *"Joost Ringoot" <joost.ringoot at meteo.be>, "snort-users" <
> snort-users at lists.snort.org>
> *Sent: *Friday, 21 June, 2019 13:52:07
> *Subject: *RE: howto convert snort alerts in to iptables rules? (like
> fail2ban does)
>
> Iptables is too much older,
>
> Iptables is too much insecure,
>
> It is the how I don’t use iptabLE finaly I can’t use IPFW modules on
> snort !!!
>
> Regards.
>
>
> Dorian ROSSE.
>
>
>
> Provenance : Courrier <https://go.microsoft.com/fwlink/?LinkId=550986>
> pour Windows 10
>
>
> ------------------------------
>
> *De :* Snort-users <snort-users-bounces at lists.snort.org> de la part de
> Joost Ringoot <joost.ringoot at meteo.be>
> *Envoyé :* Friday, June 21, 2019 12:14:39 PM
> *À :* snort-users
> *Objet :* [Snort-users] howto convert snort alerts in to iptables rules?
> (like fail2ban does)
>
>
>
> Hello,
>
> Does anyone of you have experience in converting snort alerts into
> iptables rules, ... like fail2ban does?
>
> Did it work?
>
> If you think it is unfeasible or a bad idea, please explain.
>
>
>
> Thanks,
>
>
>
> Joost
>
>
>
>
> ------------------------------
>
> [image: Image removed by sender. KMI-IRM]
>
> *KMI - IRM*
>
> *Joost RINGOOT*
>
> *System Administrator*
>
>
> *Koninklijk Meteorologisch Instituut Institut Royal Météorologique*
> Ringlaan 3 Avenue Circulaire
> 1180 Brussel | Bruxelles
> [image: Image removed by sender.]+32 (0)2 373 06 75
> after office hours:
> [image: Image removed by sender.]+32 (0)2 373 06 83
> [image: Image removed by sender.]www.meteo.be <https://www.meteo.be>
>
> [image: Image removed by sender. Facebookpagina van het KMI]
> <https://www.facebook.com/kmi.be/>[image: Image removed by sender. Page
> Facebook IRM] <https://www.facebook.com/www.meteo.be/>
> ------------------------------
>
>
> *Pensez à l'environnement, n'imprimez ce mail que si nécessaire Denk aan
> het milieu, print deze mail niet af tenzij echt nodig*
>
> [image: Image removed by sender. EMAS]
> <http://ec.europa.eu/environment/emas/register/search/registration.do?registrationId=582580>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
>         To unsubscribe, send an email to:
>         snort-users-leave at lists.snort.org
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
> Please follow these rules:
> https://snort.org/faq/what-is-the-mailing-list-etiquette
>


-- 
:wq
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20190621/b7315dc2/attachment.html>


More information about the Snort-users mailing list