[Oisf-users] fail2ban integration
Marios Spinthiras
m at spinthiras.com
Sat May 4 11:15:05 UTC 2019
Hello Suricata users,
I've had a number of deployments recently which restricted the use of
NFQUEUE for IPS. I did however want IPS capabilities but didn't want to
change from AF_PACKET.
To overcome this hurdle and gain the IPS capability of blocking
offenders but still running in AF_PACKET, I implemented a fail2ban
integration. The integration watches Suricata's fast.log for events with
a priority from 0 to 2 and blocks them accordingly using whatever option
set in fail2ban's configuration.
You can get it here: https://github.com/mspinthiras/fail2ban-suricata
This has been a huge help for my Suricata running hosts. Hope it helps
you too.
M Spinthiras
More information about the Oisf-users
mailing list