[Oisf-users] Suricata IPS with named - Please suggest use case
Leonard Jacobs
ljacobs at netsecuris.com
Thu Dec 28 15:10:53 UTC 2017
The other way to do this is with af-packet mode. You don't need iptables then. The action on signature determines whether it is performing IDS or IPS mode.
Leonard
From: Blason R <blason16 at gmail.com>
To: Amar Rathore - CounterSnipe Systems <amar at countersnipe.com>
Cc: <oisf-users at lists.openinfosecfoundation.org>
Sent: 12/28/2017 9:06 AM
Subject: Re: [Oisf-users] Suricata IPS with named - Please suggest use case
Thanks for idea need to work out on this. Any reference document would really appreciate.
On Wed, Dec 27, 2017 at 8:07 PM, Amar Rathore - CounterSnipe Systems <amar at countersnipe.com> wrote:
You can certainly do that.
Setup Suricata to do IPS not IDS, with NFQ and use iptables to push all/selective eth0/INPUT traffic to Suricata.
You can then use any rules and set action to drop on them as required.
Amar
On December 23, 2017 at 2:49 PM Blason R <blason16 at gmail.com> wrote:
Hi Guys,
Can someone please help me with this idea? I have DNS server set up on CentOS 7.4 which is acting as a sinkhole server where I have installed ELK stack as well.
Since this named/bind is acting as a sinkhole it is already blocking malicious known domains collected from OSINT.
My idea here is; if it is possible to integrate/install suricata IPS on same server and monitor on eth0? And since that is a DNS server can I block the response IP addresses received which may be malicious.
for example
www.looks-genuine.com = Domain may not be listed in blacklist
15.16.1.18 ==> But IP is malicious hence either block it or alert it
Plus detect the advance level of DNS attacks? like iodine, DNS beacon channels queries?
Please suggest; can this be achieved? _______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Conference: https://suricon.net
Trainings: https://suricata-ids.org/training/
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Conference: https://suricon.net
Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171228/f86d50dc/attachment-0002.html>
More information about the Oisf-users
mailing list