Manually block IP in snort
-
I've got Snort running in alert only mode and while I'm learning how to use it I want to be able to watch the logs and manually select IPs to block, is there a way to do it?
Alternatively, is there a way to set up blocking so that I can get it to only block on certain rules?
At the moment I know that certain types of traffic coming into my network must be malicious, for example RDP or MySQL so I want to block those straight off but I've just spent some time investigating one alert that turned out to be a false positive. If I'd had blocking mode on I'd have broken an app and probably confused myself for at least a few days.
-
Uhm, no. It's either blocking or not blocking. Setting an alert (blocking) rule in non-blocking mode won't block anything. You can block it in your firewall, but things like RDP/MySQL would not normally be wide open :o So dunno what'd be the goal here, it should have been already blocked by the firewall anyway without setting up anything, you are seeing just an alert from the copy of the packet…
As for syntax, this should give you a pretty good clue:
https://rules.emergingthreats.net/open/suricata/rules/compromised.rules
-
It would be nice if there was a way to send an IP through to the firewall to be blocked directly from the Snort interface.
The reason I was thinking of doing it was just to preemptively block IPs that I consider bad. Anything trying to access RDP on my firewall is "attacking" me in some way so if I were to block them when I saw the RDP connections, which wouldn't achieve anything, it may save me when they switch to SSH which is open and could cause problems.