If you really want use iptable I found It insteristing :

https://www.cipherdyne.org/fwsnort/

It explain by a web rules how to set the rules by a iptables IPS / IDS snort programs

 

Provenance : Courrier pour Windows 10

 


De : Ryan Buzzell <rbuzzellcsh@gmail.com>
Envoyé : Friday, June 21, 2019 2:33:52 PM
À : Dorian ROSSE; Joost Ringoot
Cc : Dorian ROSSE via Snort-users
Objet : Re: [Snort-users] howto convert snort alerts in to iptables rules? (like fail2ban does)
 
Hello,

What you're looking for is snort IPS or snort in-line mode.
On Jun 21, 2019, 08:30 -0400, Joost Ringoot <joost.ringoot@meteo.be>, wrote:
Hello Dorian

Thank you for replying

The main point is: snort does, by default not block what it detects.

If an attack is detected, I would like the source to be blocked immediately, by converting the detected attack into a rule that blocks the attacking vector/host.
If you have another method to convert a snort alert directly in a network block via netfilter or a kernelhook or something else, I would like to hear it from you.


Best Regards,

Joost

BTW: firewalld the current standard firewall for Linux still has iptables under the hood.
BBTW: meanwhile I found something that may be promising: https://doc.emergingthreats.net/bin/view/Main/SnortSam


From: "Dorian ROSSE" <dorianbrice@hotmail.fr>
To: "Joost Ringoot" <joost.ringoot@meteo.be>, "snort-users" <snort-users@lists.snort.org>
Sent: Friday, 21 June, 2019 13:52:07
Subject: RE: howto convert snort alerts in to iptables rules? (like fail2ban does)

Iptables is too much older,

Iptables is too much insecure,

It is the how I don’t use iptabLE finaly I can’t use IPFW modules on snort !!!

Regards.


Dorian ROSSE.

 

Provenance : Courrier pour Windows 10

 


De : Snort-users <snort-users-bounces@lists.snort.org> de la part de Joost Ringoot <joost.ringoot@meteo.be>
Envoyé : Friday, June 21, 2019 12:14:39 PM
À : snort-users
Objet : [Snort-users] howto convert snort alerts in to iptables rules? (like fail2ban does)
 
Hello,

Does anyone of you have experience in converting snort alerts into iptables rules, ... like fail2ban does?

Did it work?

If you think it is unfeasible or a bad idea, please explain.

Thanks,

Joost



KMI-IRM
KMI - IRM
Joost RINGOOT
System Administrator
Koninklijk Meteorologisch Instituut
Institut Royal Météorologique

Ringlaan 3 Avenue Circulaire
1180 Brussel | Bruxelles
+32 (0)2 373 06 75
after office hours:
+32 (0)2 373 06 83
www.meteo.be
Facebookpagina van het KMIPage Facebook IRM

Pensez à l'environnement, n'imprimez ce mail que si nécessaire
Denk aan het milieu, print deze mail niet af tenzij echt nodig
EMAS

_______________________________________________
Snort-users mailing list
Snort-users@lists.snort.org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

To unsubscribe, send an email to:
snort-users-leave@lists.snort.org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette