[Oisf-users] deciding what to drop in suricata IPS

Vieri rentorbuy at yahoo.com
Wed Dec 14 09:53:31 UTC 2016



----- Original Message -----
> From: Oliver Humpage <oliver at watershed.co.uk>

>> On 9 Dec 2016, at 22:13, Vieri <rentorbuy at yahoo.com> wrote:
>> 
>> fast.log has messages such as:
>> 

>> 12/09/2016-22:46:31.396745  [**] [1:2500016:4174] ET COMPROMISED Known Compromised or Hostile Host Traffic group 9 [**] 

>> [Classification: Misc Attack] [Priority: 2] {TCP} 1.2.3.4:51499 -> 10.215.144.91:22>> 
>> but nothing in drop.log.>
>
> By default the Emerging Threats rules are set only to alert, not to block.

> 
> I put this in my oinkmaster.conf:
> 
> modifysid emerging-exploit.rules, …, emerging-trojan.rules  "^\s*alert" | “drop"
> 
> Which changes all rules in those files to drop. I suspect you can also run modifysid on individual SID numbers.
> 

> Oliver. 


Thanks. I wasn't using oinkmaster to update the rules. I guess that's the easiest way to go.

I'm still trying to find out how to trigger custom scripts ONLY when a "drop" action occurs.
The goal is simple: whenever Suricata wants to "drop" a packet, run a custom script that inserts the "srcip" into a Linux ipset.

In suricata.yaml I can see that there's a section "Outputs: - drop:" and that the "filetype" can be "regular" or "unix_stream".
Could I set up a named pipe with mkfifo before running Suricata and set the "filename" in this section to that FIFO named pipe?
Or is Suricata going to create the pipe?
Has anyone already set up something similar?

Thanks,

Vieri



More information about the Oisf-users mailing list