Suricata INLINE mode ban IP after X attempt
-
This post is deleted! -
@bmeeks said in Suricata INLINE mode ban IP after X attempt:
@Cool_Corona said in Suricata INLINE mode ban IP after X attempt:
Can it be added like Snort had in the old days??
I never recall such a feature being in Snort (at least not on pfSense). How far back are you talking about?
Interface settings -> Alert Settings -> Change it to Legacy Mode
-
@Cool_Corona said in Suricata INLINE mode ban IP after X attempt:
@bmeeks said in Suricata INLINE mode ban IP after X attempt:
@Cool_Corona said in Suricata INLINE mode ban IP after X attempt:
Can it be added like Snort had in the old days??
I never recall such a feature being in Snort (at least not on pfSense). How far back are you talking about?
Interface settings -> Alert Settings -> Change it to Legacy Mode
I'm confused. What does Legacy Mode blocking have to do with banning an IP after a given number of attempts? You said in your question --
Can it be added like Snort had in the old days??
So I thought you were referring to Snort having had the ability to do something like
fail2banin the past. It has never been capable of that (at least not since I've been maintaining the package). -
@bmeeks I was wrong mate :)
-
@Cool_Corona said in Suricata INLINE mode ban IP after X attempt:
@bmeeks I was wrong mate :)
No problem. Just confused me for a bit with the question.
-
Yeah. Could it be done in INLINE mode as well??
-
@Cool_Corona said in Suricata INLINE mode ban IP after X attempt:
Yeah. Could it be done in INLINE mode as well??
No, keeping count of how many times a given IP has triggered a given rule is not possible in the current code for either mode of operation (inline IPS or Legacy Blocking). It just happens that Legacy Blocking sort of accomplishes that by blocking an IP completely the first time it triggers any ALERT rule.
-
@bmeeks said in Suricata INLINE mode ban IP after X attempt:
@Cool_Corona said in Suricata INLINE mode ban IP after X attempt:
Yeah. Could it be done in INLINE mode as well??
No, keeping count of how many times a given IP has triggered a given rule is not possible in the current code for either mode of operation (inline IPS or Legacy Blocking). It just happens that Legacy Blocking sort of accomplishes that by blocking an IP completely the first time it triggers any ALERT rule.
Could that feature be ported to INLINE mode?
-
@Cool_Corona said in Suricata INLINE mode ban IP after X attempt:
@bmeeks said in Suricata INLINE mode ban IP after X attempt:
@Cool_Corona said in Suricata INLINE mode ban IP after X attempt:
Yeah. Could it be done in INLINE mode as well??
No, keeping count of how many times a given IP has triggered a given rule is not possible in the current code for either mode of operation (inline IPS or Legacy Blocking). It just happens that Legacy Blocking sort of accomplishes that by blocking an IP completely the first time it triggers any ALERT rule.
Could that feature be ported to INLINE mode?
Could what feature be "ported"? There is no such feature available with either mode, so there is nothing to "port" to Inline Mode.
I was simply stating that because of how Legacy Mode blocking works (by stuffing the IP address from an alert into the snort2c
pftable), that a single alert by an IP is sufficient to get that IP totally banned. If I make Inline IPS mode do that, then it is no longer Inline IPS mode because you could not selectively block only certain types of traffic from an IP. It would be all or nothing. -
@bmeeks said in Suricata INLINE mode ban IP after X attempt:
@Cool_Corona said in Suricata INLINE mode ban IP after X attempt:
@bmeeks said in Suricata INLINE mode ban IP after X attempt:
@Cool_Corona said in Suricata INLINE mode ban IP after X attempt:
Yeah. Could it be done in INLINE mode as well??
No, keeping count of how many times a given IP has triggered a given rule is not possible in the current code for either mode of operation (inline IPS or Legacy Blocking). It just happens that Legacy Blocking sort of accomplishes that by blocking an IP completely the first time it triggers any ALERT rule.
Could that feature be ported to INLINE mode?
Could what feature be "ported"? There is no such feature available with either mode, so there is nothing to "port" to Inline Mode.
I was simply stating that because of how Legacy Mode blocking works (by stuffing the IP address from an alert into the snort2c
pftable), that a single alert by an IP is sufficient to get that IP totally banned. If I make Inline IPS mode do that, then it is no longer Inline IPS mode because you could not selectively block only certain types of traffic from an IP. It would be all or nothing.That would be really nice.
