On 7/13/21 12:34 AM, Tom Hendrikx wrote:
> Please post full configuration if you're not sure what to look for. I
> have no idea what 'suricata' is though
>
Suricata is an Intrusion Detection/Prevention Software.
----[ jail ]----
[suricata-1]
enabled = true
logpath = /data01/var/log/suricata/fast.log
datepattern = %%m/%%d/%%Y-%%H:%%M:%%S
#
bantime = 12w
maxretry = 1
findtime = 3w
action = iptables[name=sri-1, port="53", protocol=udp]
----[ end ]----
----[ filter ]----
[Definition]
__suricata-1_actions = (?:dropping|refusing)
#
Sample
# 08/01/2020-09:50:43.513215 [Drop] [**] [1:2030555:1] ET INFO Outbound RRSIG
DNS Query Observed [**] [Classification: Potentially Bad Traffic] [Priority: 2]
{UDP} 192.168.69.246:53 -> 72.196.10.7:30903
# 10/05/2020-09:27:35.208728 [Drop] [**] [1:2009702:5] ET POLICY DNS Update
>From External net [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {UDP} 2.57.122.98:42312 -> 192.168.69.246:53
#
failregex = ^.*\[1\:2016016\:.*\].*? \{UDP\} <HOST>\:.*?
^.*\[1\:2101616\:.*\].*? \{UDP\} <HOST>\:.*?
^.*\[1\:2009702\:.*\].*? \{UDP\} <HOST>\:.*?
^.*\[1\:2030555\:.*\].*? \{UDP\}.*\-\> <HOST>\:.*?
ignoreregex =
datepattern = %%m/%%d/%%Y-%%H:%%M:%%S
----[ end ]----
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
