[Oisf-users] deciding what to drop in suricata IPS
Vieri
rentorbuy at yahoo.com
Thu Dec 15 09:39:52 UTC 2016
----- Original Message -----
> From: Victor Julien <lists at inliniac.net>
> To: oisf-users at lists.openinfosecfoundation.org
> Sent: Wednesday, December 14, 2016 12:44 PM
> Subject: Re: [Oisf-users] deciding what to drop in suricata IPS
>
>> On 14-12-16 10:53, Vieri wrote:
>>
>> I'm still trying to find out how to trigger custom scripts ONLY when a "drop" action occurs.
>> The goal is simple: whenever Suricata wants to "drop" a packet, run a custom script that inserts the
>>"srcip" into a Linux ipset.>>
>> In suricata.yaml I can see that there's a section "Outputs: - drop:" and that the "filetype" can be
>>"regular" or "unix_stream".
>> Could I set up a named pipe with mkfifo before running Suricata and set the "filename" in this
>> section to that FIFO named pipe?>> Or is Suricata going to create the pipe?
>> Has anyone already set up something similar?>
>
> Something like https://github.com/regit/DOM may be useful.
I tried a different approach.
I set the following in suricata.yaml.
- fast:
enabled: yes
filename: fast.log
append: yes
filetype: unix_dgram
I then set a unix socket before launching Suricata. I just used a simple bash script and ran the socat command-line utility.
socat UNIX-RECVFROM:/var/log/suricata/fast.log,fork STDOUT | while read -r e; do
echo "DEBUG: $e"
done
I can then do the same for the "drop" log file and I can extract and add the host IP addresses from within the BASH while loop to an ipset.
Thanks,
Vieri
More information about the Oisf-users
mailing list