[Oisf-users] Suricata IPS with named - Please suggest use case

Amar Rathore - CounterSnipe Systems amar at countersnipe.com
Thu Dec 28 19:20:48 UTC 2017 

None I can think of specifically for a general setup.

I will be more than happy to help you go through all that you need...perhaps outside of the entire group
regards

Amar

> On December 28, 2017 at 10:06 AM Blason R <blason16 at gmail.com mailto:blason16 at gmail.com > wrote:
> 
> 
>     Thanks for idea need to work out on this. Any reference document would really appreciate.
> 
> 
>     On Wed, Dec 27, 2017 at 8:07 PM, Amar Rathore - CounterSnipe Systems <amar at countersnipe.com mailto:amar at countersnipe.com > wrote:
> 
>         > > You can certainly do that.
> > 
> > 
> >         Setup Suricata to do IPS not  IDS, with NFQ and use iptables to push all/selective eth0/INPUT traffic to Suricata.
> > 
> > 
> >         You can then use any rules and set action to drop on them as required.
> > 
> > 
> >         Amar
> > 
> >             > > > On December 23, 2017 at 2:49 PM Blason R <blason16 at gmail.com mailto:blason16 at gmail.com > wrote:
> > > 
> > > 
> > >             Hi Guys,
> > >              
> > >             Can someone please help me with this idea? I have DNS server set up on CentOS 7.4 which is acting as a sinkhole server where I have installed ELK stack as well. 
> > >              
> > >             Since this named/bind is acting as a sinkhole it is already blocking malicious known domains collected from OSINT.
> > >              
> > >             My idea here is; if it is possible to integrate/install suricata IPS on same server and monitor on eth0? And since that is a DNS server can I block the response IP addresses received which may be malicious.
> > >              
> > >             for example
> > >              
> > >             [www.looks-genuine.com](http://www.looks-genuine.com) = Domain may not be listed in blacklist
> > >             15.16.1.18 ==> But IP is malicious hence either block it or alert it
> > >              
> > >             Plus detect the advance level of DNS attacks? like iodine, DNS beacon channels queries? 
> > >              
> > >             Please suggest; can this be achieved? 
> > > 
> > > 
> > >             _______________________________________________
> > >             Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org mailto:oisf-users at openinfosecfoundation.org
> > >             Site: http://suricata-ids.org | Support: [http://suricata-ids.org/support/](http://suricata-ids.org/support/)
> > >             List: [https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users](https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users)
> > > 
> > >             Conference: https://suricon.net
> > >             Trainings: [https://suricata-ids.org/training/](https://suricata-ids.org/training/)
> > > 
> > >         > > 
> >     > 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171228/592298db/attachment-0002.html>

More information about the Oisf-users mailing list