[Oisf-users] Suricata IPS with named - Please suggest use case

Amar Rathore - CounterSnipe Systems amar at countersnipe.com
Wed Dec 27 14:37:42 UTC 2017

You can certainly do that.

Setup Suricata to do IPS not  IDS, with NFQ and use iptables to push all/selective eth0/INPUT traffic to Suricata.

You can then use any rules and set action to drop on them as required.


> On December 23, 2017 at 2:49 PM Blason R <blason16 at gmail.com> wrote:
>     Hi Guys,
>     Can someone please help me with this idea? I have DNS server set up on CentOS 7.4 which is acting as a sinkhole server where I have installed ELK stack as well. 
>     Since this named/bind is acting as a sinkhole it is already blocking malicious known domains collected from OSINT.
>     My idea here is; if it is possible to integrate/install suricata IPS on same server and monitor on eth0? And since that is a DNS server can I block the response IP addresses received which may be malicious.
>     for example
>     http://www.looks-genuine.com
>     = Domain may not be listed in blacklist
> ==> But IP is malicious hence either block it or alert it
>     Plus detect the advance level of DNS attacks? like iodine, DNS beacon channels queries? 
>     Please suggest; can this be achieved? 
>     _______________________________________________
>     Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>     Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>     List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>     Conference: https://suricon.net
>     Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171227/e7d83880/attachment-0002.html>

More information about the Oisf-users mailing list