[Oisf-users] fail2ban integration

Marios Spinthiras m at spinthiras.com
Sat May 4 11:15:05 UTC 2019

Hello Suricata users,

I've had a number of deployments recently which restricted the use of 
NFQUEUE for IPS. I did however want IPS capabilities but didn't want to 
change from AF_PACKET.

To overcome this hurdle and gain the IPS capability of blocking 
offenders but still running in AF_PACKET, I implemented a fail2ban 
integration. The integration watches Suricata's fast.log for events with 
a priority from 0 to 2 and blocks them accordingly using whatever option 
set in fail2ban's configuration.

You can get it here: https://github.com/mspinthiras/fail2ban-suricata

This has been a huge help for my Suricata running hosts. Hope it helps 
you too.

M Spinthiras

More information about the Oisf-users mailing list