[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oisf-users
Subject:    Re: [Oisf-users] Block any uploading
From:       "Cooper F. Nelson" <cnelson () ucsd ! edu>
Date:       2016-03-18 19:54:57
Message-ID: 56EC5D11.7060603 () ucsd ! edu
[Download RAW message or body]

[Attachment #2 (multipart/signed)]


I haven't tried it personally, but here are the details on using
suricata's GeoIP functionality.

> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/GeoIP

So if you were running suricata in IPS mode you could write a 'drop'
rule to detect file uploads via the web and then add a negation rule to
only allow Singapore IPs.  E.g. geoip:src,!SG

*But*, I personally wouldn't do this via suricata.  I would use a
reverse proxy (like Squid), or mod_security, so that blocked users would
get a web page telling them why their upload was blocked.

-Coop

On 3/17/2016 12:07 PM, Mesra.net CEO wrote:
> That rules is filter by geoip for only Singapore IP are allow to upload
> any files via the web, the rest will be denied, how can i make a
> Suricata rules with my requirment?
>  
> Please help and thank you so much


-- 
Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson@ucsd.edu x41042


["signature.asc" (application/pgp-signature)]
[Attachment #6 (text/plain)]

_______________________________________________
Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net

[prev in list] [next in list] [prev in thread] [next in thread]