[Oisf-users] Suricata IPS with named - Please suggest use case
Amar Rathore - CounterSnipe Systems
amar at countersnipe.com
Wed Dec 27 14:37:42 UTC 2017
You can certainly do that.
Setup Suricata to do IPS not IDS, with NFQ and use iptables to push all/selective eth0/INPUT traffic to Suricata.
You can then use any rules and set action to drop on them as required.
Amar
> On December 23, 2017 at 2:49 PM Blason R <blason16 at gmail.com> wrote:
>
> Hi Guys,
>
> Can someone please help me with this idea? I have DNS server set up on CentOS 7.4 which is acting as a sinkhole server where I have installed ELK stack as well.
>
> Since this named/bind is acting as a sinkhole it is already blocking malicious known domains collected from OSINT.
>
> My idea here is; if it is possible to integrate/install suricata IPS on same server and monitor on eth0? And since that is a DNS server can I block the response IP addresses received which may be malicious.
>
> for example
>
> http://www.looks-genuine.com
> = Domain may not be listed in blacklist
> 15.16.1.18 ==> But IP is malicious hence either block it or alert it
>
> Plus detect the advance level of DNS attacks? like iodine, DNS beacon channels queries?
>
> Please suggest; can this be achieved?
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171227/e7d83880/attachment-0002.html>
More information about the Oisf-users
mailing list