Closed mgaulton closed 8 years ago
mrash
commented
8 years ago iptables logs by themselves don't have enough information to just parse according to what a Snort rule says. The biggest gap is that iptables logs don't include application layer information, and over 90% of all Snort rules require a payload match.
mrash
commented
8 years ago My 'psad' project (https://www.cipherdyne.org/psad/) goes about as far as it is possible to go with parsing iptables logs.
mgaulton
commented
8 years ago cool. i'll take a look.
I had a thought that the parsing you already do might be useful in another way. I use fail2ban that montiors logs and builds iptables rules after x number of occurrences. It uses regex but I could imagine building those regex for the log montioring would be useful using the snort rules as a basis. execution time would be the biggest challenged, but my thought is that having 10k rules in your firewall as opposed to having regex'ed applied to the logs might be a apples to apples difference but might be more flexible as its not in memory.