[Oisf-users] deciding what to drop in suricata IPS

Vieri rentorbuy at yahoo.com
Thu Dec 15 09:39:52 UTC 2016

----- Original Message -----
> From: Victor Julien <lists at inliniac.net>
> To: oisf-users at lists.openinfosecfoundation.org
> Sent: Wednesday, December 14, 2016 12:44 PM
> Subject: Re: [Oisf-users] deciding what to drop in suricata IPS
>> On 14-12-16 10:53, Vieri wrote:
>> I'm still trying to find out how to trigger custom scripts ONLY when a "drop" action occurs.

>> The goal is simple: whenever Suricata wants to "drop" a packet, run a custom script that inserts the 

>>"srcip" into a Linux ipset.>> 

>> In suricata.yaml I can see that there's a section "Outputs: - drop:" and that the "filetype" can be 

>>"regular" or "unix_stream".
>> Could I set up a named pipe with mkfifo before running Suricata and set the "filename" in this 

>> section to that FIFO named pipe?>> Or is Suricata going to create the pipe?
>> Has anyone already set up something similar?>
> Something like https://github.com/regit/DOM may be useful.

I tried a different approach.

I set the following in suricata.yaml.

- fast:
enabled: yes
filename: fast.log
append: yes
filetype: unix_dgram

I then set a unix socket before launching Suricata. I just used a simple bash script and ran the socat command-line utility.

socat UNIX-RECVFROM:/var/log/suricata/fast.log,fork STDOUT | while read -r e; do
    echo "DEBUG: $e"

I can then do the same for the "drop" log file and I can extract and add the host IP addresses from within the BASH while loop to an ipset.



More information about the Oisf-users mailing list