[Oisf-users] feedback packet filtering

Cooper F. Nelson cnelson at ucsd.edu
Wed Jul 17 22:59:55 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You can do this trivially via a script like this:

http://sourceforge.net/projects/intrusionblock/

As you mentioned I prefer this approach to a full-blown IDS or web
application firewall as the performance overhead is much lower.

To whitelist traffic you could use the reputation based filter or
thresholds.

- -Coop

On 7/17/2013 3:26 PM, Theodore Elhourani wrote:
> Does suricata have any mechanism for filtering packets at the kernel level
> (iptables), in runtime?
> 
> Let's say a drop was triggered from IP-only module, and all subsequent
> packets in the stream were automatically dropped. Now, is there a mechanism
> to insert iptables rules for filtering out future packets of the same type?
> 
> The same idea may apply to the case of whitelisted traffic. If we know the
> signature of benign traffic, then we may in certain cases allow the traffic
> to bypass suricata via iptables rules.
> 
> It would be nice have this kind of functionality, as it can help reduce the
> cost of packet acquisition.
> 
> Thanks, Ted
> 
> 
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
> 


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJR5yHrAAoJEKIFRYQsa8FWXtQIAM/ELABSEae6kdgB8gWW1WWR
g95nlOqQv+4qXh/IFwCLjGguv37cvv+7iRQVzNqGR6XRud4goZmS6uZimVda+b1k
78kSmeuFZzLH1YtrwiGp20PnOdzfBVPXEgiv2ZJEo92ehGLHrvO4QpnqFcXnANVf
k4StO1UAJ2gVAiI7DwnB+/7MLZWAvy88hyLCaWXX9MCBdrEIf7DjX+WvTqABCUeq
uB5TJSbvOcxSPgSAC5lzeQ0QDPmWDaMsTQwaGwovmLK4rrcflMSHR2wxhUc/XMJP
Levdfqs+P1KwRyu4jdd2OxKI4q4tT2rOlHSTmk3SDVarMq5kXbrZk9v1fmHYEdE=
=NPZT
-----END PGP SIGNATURE-----



More information about the Oisf-users mailing list