[Oisf-users] Suricata IPS with named - Please suggest use case
Blason R
blason16 at gmail.com
Thu Dec 28 15:06:35 UTC 2017
Thanks for idea need to work out on this. Any reference document would
really appreciate.
On Wed, Dec 27, 2017 at 8:07 PM, Amar Rathore - CounterSnipe Systems <
amar at countersnipe.com> wrote:
> You can certainly do that.
>
> Setup Suricata to do IPS not IDS, with NFQ and use iptables to push
> all/selective eth0/INPUT traffic to Suricata.
>
> You can then use any rules and set action to drop on them as required.
>
> Amar
>
>
> On December 23, 2017 at 2:49 PM Blason R <blason16 at gmail.com> wrote:
>
> Hi Guys,
>
> Can someone please help me with this idea? I have DNS server set up on
> CentOS 7.4 which is acting as a sinkhole server where I have installed ELK
> stack as well.
>
> Since this named/bind is acting as a sinkhole it is already blocking
> malicious known domains collected from OSINT.
>
> My idea here is; if it is possible to integrate/install suricata IPS on
> same server and monitor on eth0? And since that is a DNS server can I block
> the response IP addresses received which may be malicious.
>
> for example
>
> www.looks-genuine.com = Domain may not be listed in blacklist
> 15.16.1.18 ==> But IP is malicious hence either block it or alert it
>
> Plus detect the advance level of DNS attacks? like iodine, DNS beacon
> channels queries?
>
> Please suggest; can this be achieved?
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171228/b3b80e6d/attachment-0002.html>
More information about the Oisf-users
mailing list