Snort as fail2ban?

killmasta93

Hi,
I was wondering if its possible to configure snort as fail2ban to block an IP after 5 attempts and block them for 24 hours?

Thank you

bluepr0

This is basically what I was trying to do as well, see https://forum.pfsense.org/index.php?topic=104320.0

It seems that currently it's not possible to achieve this. You can enable "Block offenders" but that will block all the IPs from all the alerts.

fsansfil

@killmasta93:

Hi,
I was wondering if its possible to configure snort as fail2ban to block an IP after 5 attempts and block them for 24 hours?

Thank you

Sure. In the Global Settings tab of your Snort interface, select 1 DAY in the >Remove Blocked Host Interval> and add a Threshold or detection/event Filter with a count of 5 to your rules.

http://manual.snort.org/node35.html
http://manual.snort.org/node34.html#detection_filter

F.

killmasta93

Hi
Thank you for the reply,
Well…did not really understand on what you mean I been trying to follow this guide
http://www.moh10ly.com/blog/pfsense/configuring-snort-on-pfsense

All I would want lets say i open port 443 webgui and someone tries to access many times eventually it gets blocked that IP as it shows on the guide But i was not able to get it working.

Not sure if I add all the rules?

And not sure what is this unknown rule http inspect

See pics

Thanks you