Share this post:
Accepted AnswerNick HowittOfflineDo you really mean the IPS or the Attack Detector? Either way they are just use firewall rules in combination with ipset. It looks like the snortsam_EGRESS and snortsam_INGRESS ipset lists just contain lists of IP's so they should be easily hackable. snortsam_SELF is a list of ip,port,ip so I don't know what should go in there. I would not however go down this route as it looks like all entries time out after 3600s so you won't get a permanent block.
You could go down the Custom Firewall rule route for individual firewall rules or do something like I used to do until I became bored with it. Create a file like /etc/clearos/firewall.d/95-custom_blocks and in it put something like:
Adjust the firewall to suit what you want. The ipset blocks can be either IP address or subnets.
ipset create custom-block hash:net -exist
ipset flush custom-block
if [ "$FW_PROTO" == "ipv4" ]; then true
$IPTABLES -I INPUT -m set --match-set custom-block src -m state --state NEW -j DROP
#$IPTABLES -I INPUT -m set --match-set custom-block src -m state --state NEW -j LOG --log-prefix "Custom_Block"
ipset add -exist custom-block 188.8.131.52/22
ipset add -exist custom-block 184.108.40.206/21
ipset add -exist custom-block 220.127.116.11/21
ipset add -exist custom-block 18.104.22.168
ipset add -exist custom-block 22.214.171.124