Show Posts
1
Intrusion Detection and Prevention / Re: Better IDS or a deny rule in firewall?
« on: November 04, 2023, 01:49:51 pm »
I have been trying to get the IDS to generate the block list, to avoid having to "manually" maintain the firewall rules.
I couldn't figure out how to do it only using Suricata, and Crowdsec with default settings only blocks Suricata severity class 1 events. It doesn't seem like there is any way to use the web UI to change the metadata of Suricata rules, policies only allow you to change the action.
I ended up modifying the Crowdsec parser to filter out all events that have been dropped by Suricata, and I modified the Crowdsec scenario to ban any Suricata event regardless of the severity.
How I can use the Suricata policies to just drop anything from the compromised and attack categories, and every time the IPs are detected by the IDS they are automatically added to the firewall block list for 7 days.
I couldn't figure out how to do it only using Suricata, and Crowdsec with default settings only blocks Suricata severity class 1 events. It doesn't seem like there is any way to use the web UI to change the metadata of Suricata rules, policies only allow you to change the action.
I ended up modifying the Crowdsec parser to filter out all events that have been dropped by Suricata, and I modified the Crowdsec scenario to ban any Suricata event regardless of the severity.
How I can use the Suricata policies to just drop anything from the compromised and attack categories, and every time the IPs are detected by the IDS they are automatically added to the firewall block list for 7 days.