Snort as fail2ban?
-
Hi,
I was wondering if its possible to configure snort as fail2ban to block an IP after 5 attempts and block them for 24 hours?Thank you
-
This is basically what I was trying to do as well, see https://forum.pfsense.org/index.php?topic=104320.0
It seems that currently it's not possible to achieve this. You can enable "Block offenders" but that will block all the IPs from all the alerts.
-
Hi,
I was wondering if its possible to configure snort as fail2ban to block an IP after 5 attempts and block them for 24 hours?Thank you
Sure. In the Global Settings tab of your Snort interface, select 1 DAY in the >Remove Blocked Host Interval> and add a Threshold or detection/event Filter with a count of 5 to your rules.
http://manual.snort.org/node35.html
http://manual.snort.org/node34.html#detection_filterF.
-
Hi
Thank you for the reply,
Well…did not really understand on what you mean I been trying to follow this guide
http://www.moh10ly.com/blog/pfsense/configuring-snort-on-pfsenseAll I would want lets say i open port 443 webgui and someone tries to access many times eventually it gets blocked that IP as it shows on the guide But i was not able to get it working.
Not sure if I add all the rules?
And not sure what is this unknown rule http inspect
See pics
Thanks you
