This wiki is a community-maintained resource about everything there is to know about IPFire. Join us and help us improving it!
Use the search and find answers to everything about IPFire. If you cannot find what you are looking for, join our community and talk to fellow IPFire users, developers and everybody else involved in the project.
It is possible to create your own rules for Snort. I'm using an existing rule for IPs block from this emerging-compromised.rules taken and adapted.
touch my-own.rule
chown nobody:nobody my-own.rule
vi /etc/snort/rules/my-own.rule
alert tcp [123.456.789.123] any -> $HOME_NET any (msg:"My own Block"; threshold: type limit, track by_src, seconds 60, count 1; classtype:my-own; flowbits:set,ET.Evil; flowbits:set,ET.CompIP; sid:1000001; rev:3488;) alert udp [123.456.789.123] any -> $HOME_NET any (msg:"My own Block"; threshold: type limit, track by_src, seconds 60, count 1; classtype:my-own; flowbits:set,ET.Evil; flowbits:set,ET.CompIP; sid:1000002; rev:3488;)
continue with Hint at this point, the appropriate classification is, here
Edit Classification.config /etc/snort/rules:
... ... config classification: my-own, My Own, 2 ...
1000001 || My Own Rule block IP TCP 1000002 || My Own Rule block IP UDP .... ....
/etc/init.d/snort restart
Now, incoming IP was blocked when you try it to open an example Website with example IP 123.456.789.123.
And you can find logs under IDS-Logfiles, for example:
Date: 01/22 07:36:20 Name: My own Block Prio: 2 Typ: My Own IP-Info: 123.456.789.123:80 -> 192.168.xyz.xyz:52399 Reference: non SID: 1000001
Older Revisions • September 17 at 9:01 pm • Jon