how to get IP Attacker into the blocklist

ezvink

I've tried to attack the webserver, and it worked. The alert from the attack was already in Snort/Suricata but the attacker's IP was not included in the blocklist.

even though I have added a passlist with the attacker's IP

Services > Snort > Blocked Hosts

You can try to look here for the host IP

SteveITS

@ezvink If you've added the IP to the passlist then it shouldn't ever be blocked...?

Is "Block Offenders" checked in your Suricata interface settings?

ezvink

@steveits
ohh that passlist is not to add IP to be blocked sir? i see on youtube it works as an IP to be blocked.

yes I checked "Block Offenders"

ezvink

@dobby_
oke sir thankyou, i will try

johnpoz

@ezvink said in how to get IP Attacker into the blocklist:

i see on youtube it works as an IP to be blocked.

What video is this exactly? Its says to put things in the "passlist" to block them?

SteveITS

@ezvink said in how to get IP Attacker into the blocklist:

ohh that passlist is not to add IP to be blocked sir?

There is no “block list” in an IDS program because one can just make a normal firewall rule to block the IP.

The Pass list is to always allow that IP.

ezvink

@steveits
what I mean is like this, sir, when Suricata/snort detects the attacker's IP attack, it automatically enters the block list.

So what I want to ask is, how do I enter the attacker's IP into the blocklist? even though the IP attack was successfully detected but not included in the blocklist, even though the rule I made was also DROP not ALERT

this is a picture of the journal that I read, and the journal does not explain how to get the attacker's IP into the blocklist list.

ezvink

@johnpoz
I saw the video on youtube, sir, who tried to attack using Suricata and added a passlist

SteveITS

@ezvink You aren’t supposed to enter any IPs manually.
Are you using Legacy mode (which adds it automatically) or Inline mode (which doesn’t use the block list, as noted in the screenshot, because the packet is simply dropped)?

ezvink

@steveits
I'm using legacy mode sir, but it doesn't have any effect.

serbus

Hello!

Snort IP rep lists might do what you want.
Check the docs

John

bmeeks

@ezvink said in how to get IP Attacker into the blocklist:

@johnpoz
I saw the video on youtube, sir, who tried to attack using Suricata and added a passlist

I think you completely misunderstood the concept there. A Pass List is used to prevent an IP from being blocked. "Pass" means "to allow", so that means the traffic is not blocked but instead is allowed to pass when the IP is on a Pass List. You would use a Pass List when a rule is triggering for some host (possibly as a false positive), but you do not want that host to be blocked. IP addresses listed on an active Pass List will not be blocked, but they will still show up on the ALERTS tab when the alerting rule triggers.

If you want to block a specific IP, you can always create your own custom rule using the feature on the RULES tab (by selecting "Custom Rules" in the Category drop-down on that tab).

SteveITS

@ezvink Did you happen to click any of the [+] icons on the Alerts tab, to Suppress the alert? If you did then it won't trigger again. You can view that list on the Suppress tab.

ezvink

@bmeeks
I've added a rule with DROP sir to the rules I created in the custom rule, but it's still not in the blockhost tab

ezvink

@steveits
if my attacker's IP has entered the suppress tab, is the IP blocked, sir?

bmeeks

@ezvink said in how to get IP Attacker into the blocklist:

@steveits
if my attacker's IP has entered the suppress tab, is the IP blocked, sir?

No. A suppress list suppresses the alert and therefore any associated block.

SteveITS

@ezvink said in how to get IP Attacker into the blocklist:

if my attacker's IP has entered the suppress tab, is the IP blocked

No.

The suppress list is for alerts that you never want to see again. Meaning, the alert is suppressed. Therefore, never blocked.

If you want to block an attacking IP you don't enter it anywhere. You said you were using Legacy with blocking enabled, so if the attacker triggers an Alert then the IP appears on the Blocks tab.

It sounds like you have created a custom rule. Is the rule being triggered? It is logged on the Alert tab?

ezvink

@steveits
I do not set anything else sir, I just leave the default.

but it doesn't work on the suricata/snort I installed sir, can you help me find the point where the problem is?

ezvink

@ezvink
This is the rule that I added sir, it can be detected and goes to alerts but doesn't go to the blockhost tab