Suricata INLINE mode ban IP after X attempt

Le_Bleu

Hi,
I'm currently using Suricata in INLINE mode, paquets are effectively being droped (highlight in red).
With this mode an attacker can try as many time as he wants.
Is it possible to block/ban th IP of an attacker who tries multiple time ?
Example : ban IP after 3 drops from the same source.

bmeeks

@Le_Bleu said in Suricata INLINE mode ban IP after X attempt:

Hi,
I'm currently using Suricata in INLINE mode, paquets are effectively being droped (highlight in red).
With this mode an attacker can try as many time as he wants.
Is it possible to block/ban th IP of an attacker who tries multiple time ?
Example : ban IP after 3 drops from the same source.

No, that capability does not exist in the package.

Cool_Corona

Can it be added like Snort had in the old days??

bmeeks

@Cool_Corona said in Suricata INLINE mode ban IP after X attempt:

Can it be added like Snort had in the old days??

I never recall such a feature being in Snort (at least not on pfSense). How far back are you talking about?

Le_Bleu

@bmeeks thanks for you answer

Does inline really better than legacy ?
With legacy if attacker try a known attack he is block, with inline he can continue with the risk to succeed with an unknown attack.

bmeeks

@Le_Bleu said in Suricata INLINE mode ban IP after X attempt:

@bmeeks thanks for you answer

Does inline really better than legacy ?
With legacy if attacker try a known attack he is block, with inline he can continue with the risk to succeed with an unknown attack.

That depends on the nature of the attack exploit. With Legacy Mode, Suricata is working from copies of the packets traversing the interface. The original packet (or packets in the case of a stream) continues to the firewall while a copy of the packet is handed to Suricata for inspection. So if the attack is some kind of single packet exploit (very rare), then the attack succeeds with Legacy Mode Blocking. Inline IPS Mode stalls the traffic while Suricata inspects it, and then either drops the packet or forwards it to the firewall engine. Either way, the packet is stopped in its tracks until the IDS makes a decision. Not so with Legacy Mode. The original packet made it to the firewall engine before Suricata made its decision. If Suricata's decision is to block, then only subsequent packets from that IP are blocked with Legacy Mode.

Cool_Corona

This post is deleted!

Cool_Corona

@bmeeks said in Suricata INLINE mode ban IP after X attempt:

@Cool_Corona said in Suricata INLINE mode ban IP after X attempt:

Can it be added like Snort had in the old days??

I never recall such a feature being in Snort (at least not on pfSense). How far back are you talking about?

Interface settings -> Alert Settings -> Change it to Legacy Mode

bmeeks

@Cool_Corona said in Suricata INLINE mode ban IP after X attempt:

@bmeeks said in Suricata INLINE mode ban IP after X attempt:

@Cool_Corona said in Suricata INLINE mode ban IP after X attempt:

Can it be added like Snort had in the old days??

I never recall such a feature being in Snort (at least not on pfSense). How far back are you talking about?

Interface settings -> Alert Settings -> Change it to Legacy Mode

I'm confused. What does Legacy Mode blocking have to do with banning an IP after a given number of attempts? You said in your question --

Can it be added like Snort had in the old days??

So I thought you were referring to Snort having had the ability to do something like fail2ban in the past. It has never been capable of that (at least not since I've been maintaining the package).

Cool_Corona

@bmeeks I was wrong mate :)

bmeeks

@Cool_Corona said in Suricata INLINE mode ban IP after X attempt:

@bmeeks I was wrong mate :)

No problem. Just confused me for a bit with the question.

Cool_Corona

@bmeeks

Yeah. Could it be done in INLINE mode as well??

bmeeks

@Cool_Corona said in Suricata INLINE mode ban IP after X attempt:

@bmeeks

Yeah. Could it be done in INLINE mode as well??

No, keeping count of how many times a given IP has triggered a given rule is not possible in the current code for either mode of operation (inline IPS or Legacy Blocking). It just happens that Legacy Blocking sort of accomplishes that by blocking an IP completely the first time it triggers any ALERT rule.

Cool_Corona

@bmeeks said in Suricata INLINE mode ban IP after X attempt:

@Cool_Corona said in Suricata INLINE mode ban IP after X attempt:

@bmeeks

Yeah. Could it be done in INLINE mode as well??

No, keeping count of how many times a given IP has triggered a given rule is not possible in the current code for either mode of operation (inline IPS or Legacy Blocking). It just happens that Legacy Blocking sort of accomplishes that by blocking an IP completely the first time it triggers any ALERT rule.

Could that feature be ported to INLINE mode?

bmeeks

@Cool_Corona said in Suricata INLINE mode ban IP after X attempt:

@bmeeks said in Suricata INLINE mode ban IP after X attempt:

@Cool_Corona said in Suricata INLINE mode ban IP after X attempt:

@bmeeks

Yeah. Could it be done in INLINE mode as well??

No, keeping count of how many times a given IP has triggered a given rule is not possible in the current code for either mode of operation (inline IPS or Legacy Blocking). It just happens that Legacy Blocking sort of accomplishes that by blocking an IP completely the first time it triggers any ALERT rule.

Could that feature be ported to INLINE mode?

Could what feature be "ported"? There is no such feature available with either mode, so there is nothing to "port" to Inline Mode.

I was simply stating that because of how Legacy Mode blocking works (by stuffing the IP address from an alert into the snort2c pf table), that a single alert by an IP is sufficient to get that IP totally banned. If I make Inline IPS mode do that, then it is no longer Inline IPS mode because you could not selectively block only certain types of traffic from an IP. It would be all or nothing.

Cool_Corona

@bmeeks said in Suricata INLINE mode ban IP after X attempt:

@Cool_Corona said in Suricata INLINE mode ban IP after X attempt:

@bmeeks said in Suricata INLINE mode ban IP after X attempt:

@Cool_Corona said in Suricata INLINE mode ban IP after X attempt:

@bmeeks

Yeah. Could it be done in INLINE mode as well??

No, keeping count of how many times a given IP has triggered a given rule is not possible in the current code for either mode of operation (inline IPS or Legacy Blocking). It just happens that Legacy Blocking sort of accomplishes that by blocking an IP completely the first time it triggers any ALERT rule.

Could that feature be ported to INLINE mode?

Could what feature be "ported"? There is no such feature available with either mode, so there is nothing to "port" to Inline Mode.

I was simply stating that because of how Legacy Mode blocking works (by stuffing the IP address from an alert into the snort2c pf table), that a single alert by an IP is sufficient to get that IP totally banned. If I make Inline IPS mode do that, then it is no longer Inline IPS mode because you could not selectively block only certain types of traffic from an IP. It would be all or nothing.

That would be really nice.