[Oisf-users] Suricata IPS with named - Please suggest use case

Blason R blason16 at gmail.com
Thu Dec 28 15:06:35 UTC 2017

Thanks for idea need to work out on this. Any reference document would
really appreciate.

On Wed, Dec 27, 2017 at 8:07 PM, Amar Rathore - CounterSnipe Systems <
amar at countersnipe.com> wrote:

> You can certainly do that.
> Setup Suricata to do IPS not  IDS, with NFQ and use iptables to push
> all/selective eth0/INPUT traffic to Suricata.
> You can then use any rules and set action to drop on them as required.
> Amar
> On December 23, 2017 at 2:49 PM Blason R <blason16 at gmail.com> wrote:
> Hi Guys,
> Can someone please help me with this idea? I have DNS server set up on
> CentOS 7.4 which is acting as a sinkhole server where I have installed ELK
> stack as well.
> Since this named/bind is acting as a sinkhole it is already blocking
> malicious known domains collected from OSINT.
> My idea here is; if it is possible to integrate/install suricata IPS on
> same server and monitor on eth0? And since that is a DNS server can I block
> the response IP addresses received which may be malicious.
> for example
> www.looks-genuine.com = Domain may not be listed in blacklist
> ==> But IP is malicious hence either block it or alert it
> Plus detect the advance level of DNS attacks? like iodine, DNS beacon
> channels queries?
> Please suggest; can this be achieved?
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171228/b3b80e6d/attachment-0002.html>

More information about the Oisf-users mailing list