On 2017-02-21 06:59, Jochen Fahrner wrote: > Am 20.02.2017 um 23:04 schrieb Arturo 'Buanzo' Busleiman: >> I configure snort ids to use syslog (so we can get one-line log >> messages we can parse with fail2ban), cause it detects different >> portscan methods. > > Sounds interesting, but also very complex. >
And OTT. I know it is not f2b, but why not use snortsam with snort for your blocking. If there are any rules you want to add blocks for, create a file called sid-block.map and add your blocks there. The file only contains 3 things, the rule number, whether you want to block the source or destination detected by the rule, and the duration of your block. It is way more responsive than f2b. This is a reference https://github.com/firnsy/barnyard2/blob/master/doc/README.snortsam Nick >> >> /var/log/auth.log: >> >> Feb 20 08:29:47 server snort[4380]: [1:1228:7] SCAN nmap XMAS >> [Classification: Attempted Information Leak] [Priority: 2] {TCP} >> x.x.x.x:42788 -> z.z.z.z:22 >> >> jail.local: >> >> [snort] >> enabled = true >> port = 22,etc,etc,etc >> protocol = tcp >> filter = snort >> logpath = /var/log/auth.log >> maxretry = 1 >> >> failregex example: >> >> failregex = .* \[Classification\: .*\] \[Priority\: [12]\] >> \{[TCP|UDP|ICMP]\} <HOST>.*$ >> .*ICMP PING NMAP \[Classification\: .*\] \[Priority\: .*\] >> \{ICMP\} <HOST>.*$ >> >> ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
