Hi.
Long timer listener, first time caller :)
Is it possible to add some automation in to add a bad actor source IP from Suricata /var/log/suricata/eve.json and to add the offending IP into a Firewall alias group?
Perhaps using Monit, Shell Script, Cron, Fail2Ban or some API call?
I think this would be an invaluable feature, and would save me from manually logging to reduce/secure the attack surface.
Many thanks.
That's what i'am searching right now.
Maybe as you point the place that logs are collected /var/log/suricata/eve.json some python script need to be run to extract the ips and convert them into a file that can be read from alias.
Another thing that may be good to add to the UI of suricata is ban time (maybe 30) mins and check time (5mins)
for the script to scrap the file to remove ips that are done with the ban. (this can be done with cron maybe.. :) )
Example chatgpt decoder of the file
import json
def extract_src_ips(file_path, output_path):
ips = set()
with open(file_path, 'r') as file:
for line in file:
try:
data = json.loads(line)
if 'src_ip' in data:
ips.add(data['src_ip'])
if 'flow' in data and 'src_ip' in data['flow']:
ips.add(data['flow']['src_ip'])
except json.JSONDecodeError:
print(f"Error decoding JSON in line: {line}")
with open(output_path, 'w') as output_file:
for ip in ips:
output_file.write(ip + '\n')
# Specify the input file path and the output file path
input_file_path = 'C:/Users/X/Desktop/input.json'
output_file_path = 'C:/Users/X/Desktop/ips.txt'
# Extract src_ips and save to file
extract_src_ips(input_file_path, output_file_path)
resurrecting threads, are we?
OP - please check out Crowdsec, it does exactly that.