[Oisf-users] How to show what ip address do the request inside an alert
Cooper F. Nelson
cnelson at ucsd.edu
Tue Aug 27 17:50:27 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Actually, if you are using a proxy I would suggest just blocking the
various "bad" IP lists available from here:
http://rules.emergingthreats.net/blockrules/
Of course you would need to scrub these and rebuild them into an ACL
your proxy can parse.
You can then run suricata on the inside of your proxy and you will see
alerts for "HTTP/1.1 403 Forbidden" when clients attempt to access
restricted IPs.
- -Coop
On 8/27/2013 12:03 AM, Peter Manev wrote:
>
>> I think it is the right thing to do, unless of course there are better
>> ways/ideas.... ?
>
>
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJSHObjAAoJEKIFRYQsa8FWusYIAKm/5hUl3VGjr9rbuciXb3RO
p45JIlWB30zK+Ln0LNc7A/EH1gBpzW1LoARi3p2jLjfGSVNJWD1isq7RmO0GQ2dJ
hdU5PAMpV+7B3/IbsmKPjTLZmsXGfNpPtxY5zpFVdPNzY58c4N6zhesmz1cp742V
/gjI81zpbTENfrkYWQbt/CCD82JvBYkRBWpXCMU2gJOqyEVGv0HCpjXvzNWoVDPm
BXj3whPCy1egpetEJujMi5Ow5TW6234n1+lmq/7LmQH1pERSnX12zyp7KAQcmuX/
eLw4rFZq4JouGitKSHFXnSE5hF8O+7zEYrJV5BI4msL/Ic2lb9BQacYevGddy2g=
=MiRw
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list