Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort as fail2ban?

    Scheduled Pinned Locked Moved IDS/IPS
    4 Posts 3 Posters 4.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      killmasta93
      last edited by

      Hi,
      I was wondering if its possible to configure snort as fail2ban to block an IP after 5 attempts and block them for 24 hours?

      Thank you

      Tutorials:

      https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

      1 Reply Last reply Reply Quote 0
      • B
        bluepr0
        last edited by

        This is basically what I was trying to do as well, see https://forum.pfsense.org/index.php?topic=104320.0

        It seems that currently it's not possible to achieve this. You can enable "Block offenders" but that will block all the IPs from all the alerts.

        1 Reply Last reply Reply Quote 0
        • F
          fsansfil
          last edited by

          @killmasta93:

          Hi,
          I was wondering if its possible to configure snort as fail2ban to block an IP after 5 attempts and block them for 24 hours?

          Thank you

          Sure. In the Global Settings tab of your Snort interface, select 1 DAY in the >Remove Blocked Host Interval> and add a Threshold or detection/event Filter with a count of 5 to your rules.

          http://manual.snort.org/node35.html
          http://manual.snort.org/node34.html#detection_filter

          F.

          1 Reply Last reply Reply Quote 0
          • K
            killmasta93
            last edited by

            Hi
            Thank you for the reply,
            Well…did not really understand on what you mean I been trying to follow this guide
            http://www.moh10ly.com/blog/pfsense/configuring-snort-on-pfsense

            All I would want lets say i open port 443 webgui and someone tries to access many times eventually it gets blocked that IP as it shows on the guide But i was not able to get it working.

            Not sure if I add all the rules?

            And not sure what is this unknown rule http inspect

            See pics

            Thanks you

            Clipboarder.2015.12.25-002.png
            Clipboarder.2015.12.25-002.png_thumb
            Clipboarder.2015.12.25-003.png
            Clipboarder.2015.12.25-003.png_thumb
            Clipboarder.2015.12.25-004.png
            Clipboarder.2015.12.25-004.png_thumb
            Clipboarder.2015.12.25-005.png
            Clipboarder.2015.12.25-005.png_thumb
            Clipboarder.2015.12.25-006.png
            Clipboarder.2015.12.25-006.png_thumb

            Tutorials:

            https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.