It is possible to create your own rules for Snort. I'm using an existing rule for IPs block from this emerging-compromised.rules taken and adapted.
Hint: After a Snort update sid-msg.map overwritten and Snort starts the service with an error message.
1. Add new Rule under /etc/snort/rules:
2. Setting permission:
chown nobody:nobody my-own.rule
3. Edit Rule - for example TCP and UDP from External to Internal Network:
3.1. With following content:
alert tcp [123.456.789.123] any -> $HOME_NET any (msg:"My own Block"; threshold: type limit, track by_src, seconds 60, count 1; classtype:my-own; flowbits:set,ET.Evil; flowbits:set,ET.CompIP; sid:1000001; rev:3488;) alert udp [123.456.789.123] any -> $HOME_NET any (msg:"My own Block"; threshold: type limit, track by_src, seconds 60, count 1; classtype:my-own; flowbits:set,ET.Evil; flowbits:set,ET.CompIP; sid:1000002; rev:3488;)
3.2. Hint at this point, the appropriate classification is, here classtype:my-own and SID sid:100000X (X = serial number)
4. Edit Classification.config /etc/snort/rules:
... ... config classification: my-own, My Own, 2 ...
5. Edit sid-msg.map under /etc/snort/rules:
1000001 || My Own Rule block IP TCP 1000002 || My Own Rule block IP UDP .... ....
6. Restart Snort and wait it is done!
7. In the WUI WUI → Services → Intrusion Detection System now you can aktivate your own Rule with attached ruleset
Now, incoming IP was blocked when you try it to open an example Website with example IP 123.456.789.123. And you can find logs under IDS-Logfiles, for example:
Date: 01/22 07:36:20 Name: My own Block Prio: 2 Typ: My Own IP-Info: 123.456.789.123:80 -> 192.168.xyz.xyz:52399 Reference: non SID: 1000001