Block Offending IP Addresses
8 views
Skip to first unread message
WRF
Apr 16, 2020, 4:53:08 PM4/16/20
to sagan-users
I am interested in using the active response feature of snortsam in sagan.yaml but it seems this option is a bit dated. Is there another alternative, i.e. fwsnort or snort2iptables that may be used or anything that could help to reject or drop offending IP addresses from within Sagan?
Champ Clark III
Apr 16, 2020, 6:45:32 PM4/16/20
to sagan-users
"Snortsam" support has been depreciated. What you'll likely want to do is run Meer with "external" output support. This allows Meer to call an external routine. When the external routine is called, the JSON/EVE of the event is passed to the external program. Your external program can be written in any language you desire.
An example routine is at https://github.com/beave/meer/tree/master/tools/external . This shows a routine that calls "iptables" and another that does a HTTP GET.
You could easily mimic a routine in python, etc.
Hopefully this helps.
--
You received this message because you are subscribed to the Google Groups "sagan-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sagan-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sagan-users/53874f03-fd79-45fa-861b-a94b6d9fd425%40googlegroups.com.
An example routine is at https://github.com/beave/meer/tree/master/tools/external . This shows a routine that calls "iptables" and another that does a HTTP GET.
You could easily mimic a routine in python, etc.
Hopefully this helps.
You received this message because you are subscribed to the Google Groups "sagan-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sagan-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sagan-users/53874f03-fd79-45fa-861b-a94b6d9fd425%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages