[Oisf-users] IPS alternatives to Snort's guardian?
Eric Leblond
eric at regit.org
Wed Jan 27 21:54:55 UTC 2016
Hi,
On Wed, 2016-01-27 at 22:46 +0100, Andreas Herz wrote:
> Please try to reply also to the mailinglist, thanks.
>
> On 27/01/16 at 21:38, John Devine wrote:
> > Thanks I will look into it. I am look specifically for something
> > that
> > can work in tandem with Suricata which will create iptables
> > firewall
> > rules based on alerts that Suricata generates. Guardian is a perl
> > script which creates iptables drop rules based on Snort alerts but
> > does not have functionality to manually unblock things that were
> > blocked through the alerts generated.
>
> Well you could also look into the unix-socket feature to gather those
> information and then trigger ipset (which is something on my todo
> list).
> But it looks like guardian just parses logfiles, which isn't that
> hard.
> So you could build that logic and just have some iptables rule for a
> blacklist set and when parsing the rules call ipset add blacklist $IP
> timeout X.
I've started to code something to trigger ipset/nftables modification
when I see some bad SSH clients:
https://github.com/regit/DOM
The code is really easy and could be extended to other methods like
selecting based on alert.
BR,
> >
> > ________________________________________ From: Oisf-users
> > <oisf-users-bounces at lists.openinfosecfoundation.org> on behalf of
> > Andreas Herz <andi at geekosphere.org> Sent: Wednesday, January 27,
> > 2016
> > 4:16 PM To: oisf-users at lists.openinfosecfoundation.org Subject: Re:
> > [Oisf-users] IPS alternatives to Snort's guardian?
> >
> > On 27/01/16 at 20:10, John Devine wrote:
> > > Hi all,
> > >
> > > Currently I run snort as an IDS and guardian as an IPS. I am
> > > looking
> > > for alternatives to guardian for IPS software because guardian
> > > does
> > > not allow me to manually unblock specific IP addresses or change
> > > the
> > > duration of which something is blocked without some hassle or
> > > custom
> > > scripts. I have been messing around with Suricata and have
> > > successfully got it running both in IDS and IPS mode and alerting
> > > successfully. Right now I want to run Suricata as an IDS and have
> > > some other open source software to run as my IPS. Are there any
> > > decent alternatives to guardian.pl which allow me to manually
> > > unblock specific IP addresses and change the length of time in
> > > which
> > > something is blocked? I am looking for a good IPS 'companion' to
> > > run
> > > in tandem with Suricata.
> >
> > I'm not familiar with guardian. Since you seem to use debian, you
> > might want to look into ipset which would help you adding IPs to a
> > blacklist for a defined period of time.
> >
> > > Thanks in advance
> >
> > > _______________________________________________ Suricata IDS
> > > Users
> > > mailing list: oisf-users at openinfosecfoundation.org Site:
> > > http://suricata-ids.org | Support: http://suricata-ids.org/suppor
> > > t/
> > > List:
> > > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-use
> > > rs
> > > Suricata User Conference November 9-11 in Washington, DC:
> > > http://oisfevents.net
> >
> >
> > -- Andreas Herz _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.o
> > rg
> > Site: http://suricata-ids.org | Support:
> > http://suricata-ids.org/support/ List:
> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > Suricata User Conference November 9-11 in Washington, DC:
> > http://oisfevents.net
>
--
Eric Leblond <eric at regit.org>
More information about the Oisf-users
mailing list