OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: Helle on September 25, 2020, 01:19:17 pm

Title: Block suricata trigged hosts ?
Post by: Helle on September 25, 2020, 01:19:17 pm

First post :-)

Is there a way to make abusers detected by suricata to be added to a dynamic firewall-rule for lets say 6hours or a specified time ?

If I get hammering from the outside against a webserver, I would like my opnsense to block the abuser totally and not only some of the php/apache/chmod/suspicios url stuff that suricata detects.

I would feel a lot safer if the detected abuser would be completely blocked for a certain time.
I have not used the other well known pf-based firewall but I believe this is easily done with that platform.

There was someone making a workaround using a webserver to host the list and have the rule pick up hosts but that seems sub optimal IMHO

Any suggestions ?

/Helle

Title: Re: Block suricata trigged hosts ?
Post by: ArminF on September 26, 2020, 12:09:49 pm

I did not found an option to use such a feature (yet).

Something like "lockout" time as it is used for accounts as far i understand you.
maybe a custom script or plugin could deliver something.

There is an API available. With some script magic i guess it will work.

• Read suricata logs
  Sort out hosts
  Log them somewhere
  Create list
  import list as block rule / with or without schedule

Title: Re: Block suricata trigged hosts ?
Post by: Helle on September 29, 2020, 02:08:53 pm

I would like this to be a feature request..

Possibility to add IDS/IPS offenders to a temporary/permanent firewall block list..

(without the need of custom scripts or external web server for hosting said block list)