Am 20.02.2017 um 23:04 schrieb Arturo 'Buanzo' Busleiman:
> I configure snort ids to use syslog (so we can get one-line log
> messages we can parse with fail2ban), cause it detects different
> portscan methods.
Sounds interesting, but also very complex.
>
> /var/log/auth.log:
>
> Feb 20 08:29:47 server snort[4380]: [1:1228:7] SCAN nmap XMAS
> [Classification: Attempted Information Leak] [Priority: 2] {TCP}
> x.x.x.x:42788 -> z.z.z.z:22
>
> jail.local:
>
> [snort]
> enabled = true
> port = 22,etc,etc,etc
> protocol = tcp
> filter = snort
> logpath = /var/log/auth.log
> maxretry = 1
>
> failregex example:
>
> failregex = .* \[Classification\: .*\] \[Priority\: [12]\]
> \{[TCP|UDP|ICMP]\} <HOST>.*$
> .*ICMP PING NMAP \[Classification\: .*\] \[Priority\: .*\]
> \{ICMP\} <HOST>.*$
>
>
--
Mit besten Grüßen
Jochen Fahrner
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
