If you really want use iptable I found It insteristing :


It explain by a web rules how to set the rules by a iptables IPS / IDS snort programs


Provenance : Courrier pour Windows 10


De : Ryan Buzzell <rbuzzellcsh@gmail.com>
Envoyé : Friday, June 21, 2019 2:33:52 PM
À : Dorian ROSSE; Joost Ringoot
Cc : Dorian ROSSE via Snort-users
Objet : Re: [Snort-users] howto convert snort alerts in to iptables rules? (like fail2ban does)

What you're looking for is snort IPS or snort in-line mode.
On Jun 21, 2019, 08:30 -0400, Joost Ringoot <joost.ringoot@meteo.be>, wrote:
Hello Dorian

Thank you for replying

The main point is: snort does, by default not block what it detects.

If an attack is detected, I would like the source to be blocked immediately, by converting the detected attack into a rule that blocks the attacking vector/host.
If you have another method to convert a snort alert directly in a network block via netfilter or a kernelhook or something else, I would like to hear it from you.

Best Regards,


BTW: firewalld the current standard firewall for Linux still has iptables under the hood.
BBTW: meanwhile I found something that may be promising: https://doc.emergingthreats.net/bin/view/Main/SnortSam

From: "Dorian ROSSE" <dorianbrice@hotmail.fr>
To: "Joost Ringoot" <joost.ringoot@meteo.be>, "snort-users" <snort-users@lists.snort.org>
Sent: Friday, 21 June, 2019 13:52:07
Subject: RE: howto convert snort alerts in to iptables rules? (like fail2ban does)

Iptables is too much older,

Iptables is too much insecure,

It is the how I don’t use iptabLE finaly I can’t use IPFW modules on snort !!!


Dorian ROSSE.


Provenance : Courrier pour Windows 10


De : Snort-users <snort-users-bounces@lists.snort.org> de la part de Joost Ringoot <joost.ringoot@meteo.be>
Envoyé : Friday, June 21, 2019 12:14:39 PM
À : snort-users
Objet : [Snort-users] howto convert snort alerts in to iptables rules? (like fail2ban does)

Does anyone of you have experience in converting snort alerts into iptables rules, ... like fail2ban does?

Did it work?

If you think it is unfeasible or a bad idea, please explain.



System Administrator
Koninklijk Meteorologisch Instituut
Institut Royal Météorologique

Ringlaan 3 Avenue Circulaire
1180 Brussel | Bruxelles
+32 (0)2 373 06 75
after office hours:
+32 (0)2 373 06 83
Facebookpagina van het KMIPage Facebook IRM

Pensez à l'environnement, n'imprimez ce mail que si nécessaire
Denk aan het milieu, print deze mail niet af tenzij echt nodig

Snort-users mailing list
Go to this URL to change user options or unsubscribe:

To unsubscribe, send an email to:

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette