[Oisf-users] deciding what to drop in suricata IPS
Victor Julien
lists at inliniac.net
Wed Dec 14 11:44:13 UTC 2016
On 14-12-16 10:53, Vieri wrote:
>
>
> ----- Original Message -----
>> From: Oliver Humpage <oliver at watershed.co.uk>
>
>>> On 9 Dec 2016, at 22:13, Vieri <rentorbuy at yahoo.com> wrote:
>>>
>>> fast.log has messages such as:
>>>
>
>>> 12/09/2016-22:46:31.396745 [**] [1:2500016:4174] ET COMPROMISED Known Compromised or Hostile Host Traffic group 9 [**]
>
>>> [Classification: Misc Attack] [Priority: 2] {TCP} 1.2.3.4:51499 -> 10.215.144.91:22>>
>>> but nothing in drop.log.>
>>
>> By default the Emerging Threats rules are set only to alert, not to block.
>
>>
>> I put this in my oinkmaster.conf:
>>
>> modifysid emerging-exploit.rules, …, emerging-trojan.rules "^\s*alert" | “drop"
>>
>> Which changes all rules in those files to drop. I suspect you can also run modifysid on individual SID numbers.
>>
>
>> Oliver.
>
>
> Thanks. I wasn't using oinkmaster to update the rules. I guess that's the easiest way to go.
>
> I'm still trying to find out how to trigger custom scripts ONLY when a "drop" action occurs.
> The goal is simple: whenever Suricata wants to "drop" a packet, run a custom script that inserts the "srcip" into a Linux ipset.
>
> In suricata.yaml I can see that there's a section "Outputs: - drop:" and that the "filetype" can be "regular" or "unix_stream".
> Could I set up a named pipe with mkfifo before running Suricata and set the "filename" in this section to that FIFO named pipe?
> Or is Suricata going to create the pipe?
> Has anyone already set up something similar?
Something like https://github.com/regit/DOM may be useful.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list